MSIX - The MSIX Packaging Tool - signing the MSIX package

So, as we noticed a certificate is needed to sign the MSIX package.

Especially for those with a history in packaging, signing an AppX/MSIX-package could potentially be the first time you're ever faced with the requirement. So….

Why should we sign packages?

Signing code or binaries nowadays is common practice. Starting with executables, drivers and scripts code signing ensures source, integrity and alignment with release processes of the given code. Starting with Microsoft Store this was introduced into Windows as a requirement to deploy AppX successfully.

Beside the use in production environments, during package creation and testing there are possibilities to bypass this requirement.

We have 2.5   options:

  • Set up a CA in our test environment, and request a code signing certificate. All MSIX packages signed with this certificate can be installed on all computers in our environment (since they trust that CA)

How to configure the PKI for code signing certificates:

https://blogs.technet.microsoft.com/deploymentguys/2013/06/14/signing-windows-8-applications-using-an-internal-pki/
Since we got no test environment set up whatsoever, that would be the 0.5 option

What to do when

Focusing on AppX/MSIX there are four major scenarios present with different possibilities:

  • Packaging

During packaging Codesigning can be bypassed via the Developer-Mode in Windows 10.

https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development

  • Testing

Developer-Mode will not help during package testing. Best would be to Test-Sign the package internally with your own PKI infrastructure or a Self-Signed Certificate:

  • Private Deployment

Private Deployment means deployment only on company owned and managed devices. In this case code signing using your PKI infrastructure is perfectly fine and the most stable implementation.

  • Public Deployment

Having a public deployment on an AppX/MSIX package most likely means uploading it to Microsoft Store. Only once you need to create a developer account for your company, which will give you access to the required upload area. During the process of final package checks the package will automatically get signed and all Windows 10 Clients will trust the resulting package.

 

Ingmar Oosterhoff, Johannes Freundorfer and Matthias Herfurth