Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

using MSIX Hero to sign a package - finding an installed certificate in the drop-down list

Copper Contributor

Green doesn't begin to describe my experience with MSIX deployments.  I managed to install the MSIX Hero application and pack a directory into a .MSIX file.  Now I am trying to sign the package using the UI.  There is a drop-down for selecting an installed certificate but have no idea how it is populated.  I can see the certificate I want in the "Trusted People" store, but am not sure how to find it in the drop down list.  Is there any way to filter or search through the many items in the list?  Or am I missing something?

2 Replies

@dhillmanOIT MSIX Hero is a third party app and you should consult their documentation.

 

But in general, most products allowing you to select the code signing certificate for MSIX from the currently installed certificates are looking at the same store as would be required for the app to be installed, namely the System certificate store Trusted Root Certificates.

@dhillmanOITIf you are serious, you should try testing it with your own self-signed certificate first ( using OpenSSL 3.x or another tool built into Windows. ) Later on you could use a free certificate authority ( for code / script signing, ) or a post-paid option. I edited this in a very basic way, but it should work, given I have similar scripts for generating other self-signed certs. You'd probably have to compile OpenSSL yourself, use MYSYS2 / Cygwin, or a built-in tool that comes with Windows on this list:

Methods of signing scripts -> https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing#methods-of-signing-scripts
Create a certificate for package signing -> https://docs.microsoft.com/en-us/windows/msix/package/create-certificate-package-signing
How to: Sign application and deployment manifests -> https://docs.microsoft.com/en-us/visualstudio/ide/how-to-sign-application-and-deployment-manifests
Personal Information Exchange (.pfx) Files -> https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files
Pvk2Pfx -> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx
Sign the app package -> https://docs.microsoft.com/en-us/windows/msix/package/sign-app-package-using-signtool
Sign an MSIX package with Device Guard signing -> https://docs.microsoft.com/en-us/windows/msix/package/signing-package-device-guard-signing

openssl-x509 -> https://www.openssl.org/docs/man3.0/man1/openssl-x509.html

Cape_Of_Our_Penguin_Hero.txt = 4096 characters (4-bit hex, no whitespaces, no dash, etc)
Penguins_Toilet_Seat_Wheels_Always_Burn_Rubber.txt = 521 characters (4-bit hex, no whitespaces, no dash, etc)

Generate EC_secp521r1 -> 

Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Hidden Duck State
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Duck Watermelon Disguise Division
Common Name (e.g. server FQDN or YOUR name) []:Double Rainbow Magpie Abacus

1.) openssl genpkey -genparam -algorithm EC -out EC_521_Param.pem -pkeyopt ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve
2.) openssl ecparam -noout -in EC_521_Param.pem -rand Penguins_Toilet_Seat_Wheels_Always_Burn_Rubber.txt -genkey -out EC_521_Key.pem
3.) openssl req -nodes -x509 -SHA512 -days 22646 -newkey EC:EC_521_Param.pem -key EC_521_Key.pem -out EC_521_Cert.pem
4.) openssl x509 -outform der -in EC_521_Cert.pem -out EC_521_Cert.crt

Generate RSA_4096 -> 

Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Barking Red Squirrel State
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fluffback Ruffler Squirrels Anonymous
Common Name (e.g. server FQDN or YOUR name) []:Maximum Penguin Sock Gliding

1.) openssl genrsa -rand Cape_Of_Our_Penguin_Hero.txt -out RSA_4096_Key.pem -primes 3 4096
2.) openssl req -nodes -x509 -SHA512 -days 22646 -newkey RSA:4096 -key RSA_4096_Key.pem -out RSA_4096_Cert.pem
3.) openssl x509 -outform der -in RSA_4096_Cert.pem -out RSA_4096_Cert.crt

openssl-pkcs12 -> https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html

"This command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook."

openssl pkcs12 -export -in RSA_4096_Cert.pem -inkey RSA_4096_Key.pem -out RSA_4096_Cert.pfx
openssl pkcs12 -export -in EC_521_Cert.pem -inkey EC_521_Key.pem -out EC_521_Cert.pfx

Another big list from OpenSSL 1_1_1x, just to show you some basic options you have available. The examples I have listed above are still considered secure, but it the limitation is that it's a self-signed certificate for testing. You could look up all the ciphers in this list on the NIST website, and figure out quite quickly which ones are obsolete based on your particular use-case scenario:

# openssl enc -list

-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb
-aes-128-ofb               -aes-192-cbc               -aes-192-cfb
-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr
-aes-192-ecb               -aes-192-ofb               -aes-256-cbc
-aes-256-cfb               -aes-256-cfb1              -aes-256-cfb8
-aes-256-ctr               -aes-256-ecb               -aes-256-ofb
-aes128                    -aes128-wrap               -aes192
-aes192-wrap               -aes256                    -aes256-wrap
-aria-128-cbc              -aria-128-cfb              -aria-128-cfb1
-aria-128-cfb8             -aria-128-ctr              -aria-128-ecb
-aria-128-ofb              -aria-192-cbc              -aria-192-cfb
-aria-192-cfb1             -aria-192-cfb8             -aria-192-ctr
-aria-192-ecb              -aria-192-ofb              -aria-256-cbc
-aria-256-cfb              -aria-256-cfb1             -aria-256-cfb8
-aria-256-ctr              -aria-256-ecb              -aria-256-ofb
-aria128                   -aria192                   -aria256
-bf                        -bf-cbc                    -bf-cfb
-bf-ecb                    -bf-ofb                    -blowfish
-camellia-128-cbc          -camellia-128-cfb          -camellia-128-cfb1
-camellia-128-cfb8         -camellia-128-ctr          -camellia-128-ecb
-camellia-128-ofb          -camellia-192-cbc          -camellia-192-cfb
-camellia-192-cfb1         -camellia-192-cfb8         -camellia-192-ctr
-camellia-192-ecb          -camellia-192-ofb          -camellia-256-cbc
-camellia-256-cfb          -camellia-256-cfb1         -camellia-256-cfb8
-camellia-256-ctr          -camellia-256-ecb          -camellia-256-ofb
-camellia128               -camellia192               -camellia256
-cast                      -cast-cbc                  -cast5-cbc
-cast5-cfb                 -cast5-ecb                 -cast5-ofb
-chacha20                  -des                       -des-cbc
-des-cfb                   -des-cfb1                  -des-cfb8
-des-ecb                   -des-ede                   -des-ede-cbc
-des-ede-cfb               -des-ede-ecb               -des-ede-ofb
-des-ede3                  -des-ede3-cbc              -des-ede3-cfb
-des-ede3-cfb1             -des-ede3-cfb8             -des-ede3-ecb
-des-ede3-ofb              -des-ofb                   -des3
-des3-wrap                 -desx                      -desx-cbc
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap
-id-aes192-wrap-pad        -id-aes256-wrap            -id-aes256-wrap-pad
-id-smime-alg-CMS3DESwrap  -rc2                       -rc2-128
-rc2-40                    -rc2-40-cbc                -rc2-64
-rc2-64-cbc                -rc2-cbc                   -rc2-cfb
-rc2-ecb                   -rc2-ofb                   -rc4
-rc4-40                    -seed                      -seed-cbc
-seed-cfb                  -seed-ecb                  -seed-ofb
-sm4                       -sm4-cbc                   -sm4-cfb
-sm4-ctr                   -sm4-ecb                   -sm4-ofb

# openssl list -1 -cipher-algorithms

AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CBC-HMAC-SHA256
id-aes128-CCM
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
AES-128-ECB
id-aes128-GCM
AES-128-OCB
AES-128-OFB
AES-128-XTS
AES-192-CBC
id-aes192-CCM
AES-192-CFB
AES-192-CFB1
AES-192-CFB8
AES-192-CTR
AES-192-ECB
id-aes192-GCM
AES-192-OCB
AES-192-OFB
AES-256-CBC
AES-256-CBC-HMAC-SHA1
AES-256-CBC-HMAC-SHA256
id-aes256-CCM
AES-256-CFB
AES-256-CFB1
AES-256-CFB8
AES-256-CTR
AES-256-ECB
id-aes256-GCM
AES-256-OCB
AES-256-OFB
AES-256-XTS
aes128 => AES-128-CBC
aes128-wrap => id-aes128-wrap
aes192 => AES-192-CBC
aes192-wrap => id-aes192-wrap
aes256 => AES-256-CBC
aes256-wrap => id-aes256-wrap
ARIA-128-CBC
ARIA-128-CCM
ARIA-128-CFB
ARIA-128-CFB1
ARIA-128-CFB8
ARIA-128-CTR
ARIA-128-ECB
ARIA-128-GCM
ARIA-128-OFB
ARIA-192-CBC
ARIA-192-CCM
ARIA-192-CFB
ARIA-192-CFB1
ARIA-192-CFB8
ARIA-192-CTR
ARIA-192-ECB
ARIA-192-GCM
ARIA-192-OFB
ARIA-256-CBC
ARIA-256-CCM
ARIA-256-CFB
ARIA-256-CFB1
ARIA-256-CFB8
ARIA-256-CTR
ARIA-256-ECB
ARIA-256-GCM
ARIA-256-OFB
aria128 => ARIA-128-CBC
aria192 => ARIA-192-CBC
aria256 => ARIA-256-CBC
bf => BF-CBC
BF-CBC
BF-CFB
BF-ECB
BF-OFB
blowfish => BF-CBC
CAMELLIA-128-CBC
CAMELLIA-128-CFB
CAMELLIA-128-CFB1
CAMELLIA-128-CFB8
CAMELLIA-128-CTR
CAMELLIA-128-ECB
CAMELLIA-128-OFB
CAMELLIA-192-CBC
CAMELLIA-192-CFB
CAMELLIA-192-CFB1
CAMELLIA-192-CFB8
CAMELLIA-192-CTR
CAMELLIA-192-ECB
CAMELLIA-192-OFB
CAMELLIA-256-CBC
CAMELLIA-256-CFB
CAMELLIA-256-CFB1
CAMELLIA-256-CFB8
CAMELLIA-256-CTR
CAMELLIA-256-ECB
CAMELLIA-256-OFB
camellia128 => CAMELLIA-128-CBC
camellia192 => CAMELLIA-192-CBC
camellia256 => CAMELLIA-256-CBC
cast => CAST5-CBC
cast-cbc => CAST5-CBC
CAST5-CBC
CAST5-CFB
CAST5-ECB
CAST5-OFB
ChaCha20
ChaCha20-Poly1305
des => DES-CBC
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-ECB
DES-EDE
DES-EDE-CBC
DES-EDE-CFB
des-ede-ecb => DES-EDE
DES-EDE-OFB
DES-EDE3
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
des-ede3-ecb => DES-EDE3
DES-EDE3-OFB
DES-OFB
des3 => DES-EDE3-CBC
des3-wrap => id-smime-alg-CMS3DESwrap
desx => DESX-CBC
DESX-CBC
id-aes128-CCM
id-aes128-GCM
id-aes128-wrap
id-aes128-wrap-pad
id-aes192-CCM
id-aes192-GCM
id-aes192-wrap
id-aes192-wrap-pad
id-aes256-CCM
id-aes256-GCM
id-aes256-wrap
id-aes256-wrap-pad
id-smime-alg-CMS3DESwrap
rc2 => RC2-CBC
rc2-128 => RC2-CBC
rc2-40 => RC2-40-CBC
RC2-40-CBC
rc2-64 => RC2-64-CBC
RC2-64-CBC
RC2-CBC
RC2-CFB
RC2-ECB
RC2-OFB
RC4
RC4-40
RC4-HMAC-MD5
seed => SEED-CBC
SEED-CBC
SEED-CFB
SEED-ECB
SEED-OFB
sm4 => SM4-CBC
SM4-CBC
SM4-CFB
SM4-CTR
SM4-ECB
SM4-OFB

# openssl ecparam -list_curves

  secp112r1 : SECG/WTLS curve over a 112 bit prime field
  secp112r2 : SECG curve over a 112 bit prime field
  secp128r1 : SECG curve over a 128 bit prime field
  secp128r2 : SECG curve over a 128 bit prime field
  secp160k1 : SECG curve over a 160 bit prime field
  secp160r1 : SECG curve over a 160 bit prime field
  secp160r2 : SECG/WTLS curve over a 160 bit prime field
  secp192k1 : SECG curve over a 192 bit prime field
  secp224k1 : SECG curve over a 224 bit prime field
  secp224r1 : NIST/SECG curve over a 224 bit prime field
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
  prime192v2: X9.62 curve over a 192 bit prime field
  prime192v3: X9.62 curve over a 192 bit prime field
  prime239v1: X9.62 curve over a 239 bit prime field
  prime239v2: X9.62 curve over a 239 bit prime field
  prime239v3: X9.62 curve over a 239 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field
  sect113r1 : SECG curve over a 113 bit binary field
  sect113r2 : SECG curve over a 113 bit binary field
  sect131r1 : SECG/WTLS curve over a 131 bit binary field
  sect131r2 : SECG curve over a 131 bit binary field
  sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
  sect163r1 : SECG curve over a 163 bit binary field
  sect163r2 : NIST/SECG curve over a 163 bit binary field
  sect193r1 : SECG curve over a 193 bit binary field
  sect193r2 : SECG curve over a 193 bit binary field
  sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect239k1 : SECG curve over a 239 bit binary field
  sect283k1 : NIST/SECG curve over a 283 bit binary field
  sect283r1 : NIST/SECG curve over a 283 bit binary field
  sect409k1 : NIST/SECG curve over a 409 bit binary field
  sect409r1 : NIST/SECG curve over a 409 bit binary field
  sect571k1 : NIST/SECG curve over a 571 bit binary field
  sect571r1 : NIST/SECG curve over a 571 bit binary field
  c2pnb163v1: X9.62 curve over a 163 bit binary field
  c2pnb163v2: X9.62 curve over a 163 bit binary field
  c2pnb163v3: X9.62 curve over a 163 bit binary field
  c2pnb176v1: X9.62 curve over a 176 bit binary field
  c2tnb191v1: X9.62 curve over a 191 bit binary field
  c2tnb191v2: X9.62 curve over a 191 bit binary field
  c2tnb191v3: X9.62 curve over a 191 bit binary field
  c2pnb208w1: X9.62 curve over a 208 bit binary field
  c2tnb239v1: X9.62 curve over a 239 bit binary field
  c2tnb239v2: X9.62 curve over a 239 bit binary field
  c2tnb239v3: X9.62 curve over a 239 bit binary field
  c2pnb272w1: X9.62 curve over a 272 bit binary field
  c2pnb304w1: X9.62 curve over a 304 bit binary field
  c2tnb359v1: X9.62 curve over a 359 bit binary field
  c2pnb368w1: X9.62 curve over a 368 bit binary field
  c2tnb431r1: X9.62 curve over a 431 bit binary field
  wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
  Oakley-EC2N-3:
        IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
        Not suitable for ECDSA.
        Questionable extension field!
  Oakley-EC2N-4:
        IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
        Not suitable for ECDSA.
        Questionable extension field!
  brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
  brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
  brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
  brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
  brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
  brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
  brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
  brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
  brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
  brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
  brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
  brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
  brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
  brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
  SM2       : SM2 curve over a 256 bit prime field

# openssl list -1 -digest-algorithms

RSA-MD4 => MD4
RSA-MD5 => MD5
RSA-MDC2 => MDC2
RSA-RIPEMD160 => RIPEMD160
RSA-SHA1 => SHA1
RSA-SHA1-2 => RSA-SHA1
RSA-SHA224 => SHA224
RSA-SHA256 => SHA256
RSA-SHA3-224 => SHA3-224
RSA-SHA3-256 => SHA3-256
RSA-SHA3-384 => SHA3-384
RSA-SHA3-512 => SHA3-512
RSA-SHA384 => SHA384
RSA-SHA512 => SHA512
RSA-SHA512/224 => SHA512-224
RSA-SHA512/256 => SHA512-256
RSA-SM3 => SM3
BLAKE2b512
BLAKE2s256
id-rsassa-pkcs1-v1_5-with-sha3-224 => SHA3-224
id-rsassa-pkcs1-v1_5-with-sha3-256 => SHA3-256
id-rsassa-pkcs1-v1_5-with-sha3-384 => SHA3-384
id-rsassa-pkcs1-v1_5-with-sha3-512 => SHA3-512
MD4
md4WithRSAEncryption => MD4
MD5
MD5-SHA1
md5WithRSAEncryption => MD5
MDC2
mdc2WithRSA => MDC2
ripemd => RIPEMD160
RIPEMD160
ripemd160WithRSA => RIPEMD160
rmd160 => RIPEMD160
SHA1
sha1WithRSAEncryption => SHA1
SHA224
sha224WithRSAEncryption => SHA224
SHA256
sha256WithRSAEncryption => SHA256
SHA3-224
SHA3-256
SHA3-384
SHA3-512
SHA384
sha384WithRSAEncryption => SHA384
SHA512
SHA512-224
sha512-224WithRSAEncryption => SHA512-224
SHA512-256
sha512-256WithRSAEncryption => SHA512-256
sha512WithRSAEncryption => SHA512
SHAKE128
SHAKE256
SM3
sm3WithRSAEncryption => SM3
ssl3-md5 => MD5
ssl3-sha1 => SHA1
whirlpool

# openssl list -1 -public-key-algorithms

Name: OpenSSL RSA method
        Type: Builtin Algorithm
        OID: rsaEncryption
        PEM string: RSA
Name: rsa
        Alias for: rsaEncryption
Name: OpenSSL PKCS#3 DH method
        Type: Builtin Algorithm
        OID: dhKeyAgreement
        PEM string: DH
Name: dsaWithSHA
        Alias for: dsaEncryption
Name: dsaEncryption-old
        Alias for: dsaEncryption
Name: dsaWithSHA1-old
        Alias for: dsaEncryption
Name: dsaWithSHA1
        Alias for: dsaEncryption
Name: OpenSSL DSA method
        Type: Builtin Algorithm
        OID: dsaEncryption
        PEM string: DSA
Name: OpenSSL EC algorithm
        Type: Builtin Algorithm
        OID: id-ecPublicKey
        PEM string: EC
Name: OpenSSL HMAC method
        Type: Builtin Algorithm
        OID: hmac
        PEM string: HMAC
Name: OpenSSL CMAC method
        Type: Builtin Algorithm
        OID: cmac
        PEM string: CMAC
Name: OpenSSL RSA-PSS method
        Type: Builtin Algorithm
        OID: rsassaPss
        PEM string: RSA-PSS
Name: OpenSSL X9.42 DH method
        Type: Builtin Algorithm
        OID: X9.42 DH
        PEM string: X9.42 DH
Name: OpenSSL X25519 algorithm
        Type: Builtin Algorithm
        OID: X25519
        PEM string: X25519
Name: OpenSSL X448 algorithm
        Type: Builtin Algorithm
        OID: X448
        PEM string: X448
Name: OpenSSL POLY1305 method
        Type: Builtin Algorithm
        OID: poly1305
        PEM string: POLY1305
Name: OpenSSL SIPHASH method
        Type: Builtin Algorithm
        OID: siphash
        PEM string: SIPHASH
Name: OpenSSL ED25519 algorithm
        Type: Builtin Algorithm
        OID: ED25519
        PEM string: ED25519
Name: OpenSSL ED448 algorithm
        Type: Builtin Algorithm
        OID: ED448
        PEM string: ED448
Name: sm2
        Alias for: id-ecPublicKey

# openssl list -1 -public-key-methods

rsaEncryption
        Type: External Algorithm
dhKeyAgreement
        Type: Builtin Algorithm
dsaEncryption
        Type: External Algorithm
id-ecPublicKey
        Type: Builtin Algorithm
hmac
        Type: Builtin Algorithm
cmac
        Type: Builtin Algorithm
rsassaPss
        Type: External Algorithm
X9.42 DH
        Type: Builtin Algorithm
scrypt
        Type: Builtin Algorithm
tls1-prf
        Type: Builtin Algorithm
X25519
        Type: Builtin Algorithm
X448
        Type: Builtin Algorithm
hkdf
        Type: Builtin Algorithm
poly1305
        Type: Builtin Algorithm
siphash
        Type: Builtin Algorithm
ED25519
        Type: Builtin Algorithm
ED448
        Type: Builtin Algorithm
sm2
        Type: Builtin Algorithm