May 01 2021 06:45 AM
May 01 2021 06:45 AM
I'm using VS to create an .msix package which is then uploaded to an installation location for clients to sideload. This is a LOB deployment that does not use Windows Store. Currently I sign with a .pfx certificate. I like this deployment because VS keeps the package versions nicely organized and the client gets all the updates automatically.
I want to update my code signing strategy to EV which uses a token USB key and signtool. However, I don't see a way to sign with EV within VS as a part of the "publish" function. So, I may need to publish the package unsigned and then sign the package prior to copying to installation location. I don't want to break the versioning stored within the .appackage file.
This seems like complicated workflow. Is there a better way? Stick with .pfx signing?
May 07 2021 03:53 PM
We do not currently support EV signing in the UWP/WapProj packaging wizard. Like you said, the only solution I can think of would be to package the application unsigned and then to sign it in some post-build step. Would you mind clarifying how this solution would "...break the versioning stored within the .appackage file."?
Thank you for your feedback. I will look into developing a solution that fits your needs.
May 08 2021 08:07 AM
Within .appinstaller file is a <MainBundle class with, among other properties, a Publisher property. It appears that the Publisher information is lifted from the signing certificate. So I assume, if there's now signing until after the package is created, I may need to create this manually in the manifest.
The version appears to remain correctly incremented.
I need to figure out the workflow if I am to use an EV signature external to VS. There is a pause in the VS wizard after creation of the package where VS asks to "Copy and Close" (copy the package to the installation folder). I guess I could use signtool at this point and then complete publication by clicking the "Copy and Close" button. That could work (but an expensive experiment if it fails). Do I need to sign both the .appinstaller and .msixbundle files or just the .msixbundle file?
Also, if I use the .pfx technique, a certificate is included in the installation folder after "Copy and Close". No such certificate is included if I don't sign while creating the app package. If I then sign with an EV, I don't know if a certificate is added to the folder or if it's needed for successful publication.
So, I'm not really sure if pursing the EV technology is worthwhile at this point.