MSIX doesn't obtain trusted root certificate automatically

%3CLINGO-SUB%20id%3D%22lingo-sub-2469632%22%20slang%3D%22en-US%22%3EMSIX%20doesn't%20obtain%20trusted%20root%20certificate%20automatically%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2469632%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Eour%20client%20has%20purchased%20a%20code%20signing%20certificate%20from%20a%20trusted%20root%20CA%20(GLOBALTRUST).%20The%20certificate%20is%20valid%2C%20and%20Windows%2010%20also%20automatically%20recognizes%20the%20the%20trusted%20root%20CA%20and%20installs%20(downloads)%20the%20appropriate%20root%20certificate%20automatically%20as%20soon%20as%20I%20view%20the%20certificate%20details.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20when%20trying%20to%20install%20a%20msix%20package%20with%20this%20certificate%20on%20a%20fresh%20Win%2010%20machine%2C%20Windows%20fails%20to%20automatically%20download%20the%20root%20certificate%20and%20hence%20won't%20allow%20end%20users%20to%20install%20the%20package.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20a%20missing%20implementation%20in%20msix%20or%20are%20there%20some%20additional%20settings%20for%20the%20app%20package%20%2F%20msix%20to%20avoid%20this%20problem%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethx%20and%20br%2C%3C%2FP%3E%3CP%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2469897%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20doesn't%20obtain%20trusted%20root%20certificate%20automatically%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2469897%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F511441%22%20target%3D%22_blank%22%3E%40Martin82%3C%2FA%3E%26nbsp%3B1%20-%20When%20trying%20to%20install%20the%20MSIX%20does%20the%20client%20see%20that%20the%20installer%20was%20signed%20with%20this%20certificate%20that%20they%20purchased%20and%20a%20check%20mark%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2473509%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20doesn't%20obtain%20trusted%20root%20certificate%20automatically%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2473509%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1084222%22%20target%3D%22_blank%22%3E%40John_Cote%3C%2FA%3E%3A%20Not%2C%20unfortunately%20it%20only%20shows%20%22Untrusted%20App%22%20and%20the%20%22x%22%20mark%20when%20trying%20to%20install%20the%20MSIX.%20But%20as%20soon%20as%20the%20certificate%20is%20viewed%20in%20Windows%20(without%20installing)%2C%20the%20same%20MSIX%20file%20changes%20to%20%22Trusted%20App%22%20and%20the%20user%20can%20install%20the%20software.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

our client has purchased a code signing certificate from a trusted root CA (GLOBALTRUST). The certificate is valid, and Windows 10 also automatically recognizes the the trusted root CA and installs (downloads) the appropriate root certificate automatically as soon as I view the certificate details.

 

But when trying to install a msix package with this certificate on a fresh Win 10 machine, Windows fails to automatically download the root certificate and hence won't allow end users to install the package.

 

Is this a missing implementation in msix or are there some additional settings for the app package / msix to avoid this problem?

 

thx and br,

Martin

3 Replies

@Martin82 1 - When trying to install the MSIX does the client see that the installer was signed with this certificate that they purchased and a check mark?

@John_Cote: Not, unfortunately it only shows "Untrusted App" and the "x" mark when trying to install the MSIX. But as soon as the certificate is viewed in Windows (without installing), the same MSIX file changes to "Trusted App" and the user can install the software.
@Martin82
It sounds like the certificate is just staying in memory after opening and passing the installer's check incorrectly.

The package has to be signed with the certificate, which it seems like it is and that certificate also has to be installed into the Trusted Root before installing the MSIX package. This can be done via the client's Group Policy in Active Directory, Manually or via some other installation method. I don't believe there's a way to get the MSIX itself to install the certificate it is signed with into the trusted root directly, it just doesn't have the low level access required to do so by design.

MSIX packages installed via the Microsoft store for example are signed by Microsoft and the certificate is already on the machine prior to downloading the MSIX from the Microsoft store.


https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview