This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 80%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
We need to sign a UWP app for sideloading. Previously we have used a local certificate on our build machine and the build property:
<PackageCertificateThumbprint>XXXX</PackageCertificateThumbprint>
(This is configured in the .appxmanifest file for our UWP application and is currently used during the msbuild step.)
However the approach with the Azure Devops Trusted Signing task seems to be to use the azure pipelines task after the build has finished.
The problem is that our build won't complete without already having the matching certificate installed.
Please can you let me know the approach for integrating a Trusted Signing certificate with our UWP app?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Kevin , thanks for your post! We are looking into this and will get back to you shortly.
I've reached out to a colleague on the Trusted Signing team to confirm about this scenario. I will update this thread as I receive more information.
I've managed to sign and deploy the app now, with 2 remaining issues:
AppPackages folder is created during the build).
Thanks for sharing and glad you were able to sign the app! The guidelines are to follow this doc to integrate with Trusted Signing to sign UWP app in the build pipeline. https://video2.skills-academy.com/en-us/azure/trusted-signing/how-to-signing-integrations
If you need to install the signing cert in the build machine, you can retrieve the certificate from the signed file. I'm looking into your question about certificate validity now.
Hi @Kevin
Addressing your follow-up questions from the comments:
- Previously an index.html file was produced which manages the .appinstaller and other links (such as to the msixbundle directly). This index.html file also links to the .cer file, which is no longer present (as Trusted Signing happens in the pipeline after the
AppPackagesfolder is created during the build).
A: When signing msixbundle with Trusted Signing, there is no need to have an extra .cer file. Just make sure the Publisher value in the AppxManifest.xml matches with the Subject name in the certificate profile.
A: As long as you call the timestamping, the msixbundle will remain valid, and you can install it.
Please refer to this link to set up the signing command with timestamping: https://video2.skills-academy.com/en-us/azure/trusted-signing/how-to-signing-integrations#use-signtool-to-sign-a-file
If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.
Thank you, yes I've confirmed that there are no issues installing the app after this time window, because it was signed/timestamped within the window.
The only remaining issue I have is why the VisualStudio-generated index.html file for the package still makes reference to a non-existent .cer file.
It would be great if the build of the .msixbundle and .appinstaller could be instructed not to add a link for the publisher certificate, as that no longer exists.
This might be an issue for the team that works on the msbuild for UWP projects - is there an appropriate place to raise this?