MSIX – The MSIX Packaging Tool – signing the MSIX package

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on MSDN on Sep 06, 2018
So, as we noticed a certificate is needed to sign the MSIX package.

Especially for those with a history in packaging, signing an AppX/MSIX-package could potentially be the first time you're ever faced with the requirement. So….

Why should we sign packages?

Signing code or binaries nowadays is common practice. Starting with executables, drivers and scripts code signing ensures source, integrity and alignment with release processes of the given code. Starting with Microsoft Store this was introduced into Windows as a requirement to deploy AppX successfully.

Beside the use in production environments, during package creation and testing there are possibilities to bypass this requirement.

We have 2.5   options:

• Set up a CA in our test environment, and request a code signing certificate. All MSIX packages signed with this certificate can be installed on all computers in our environment (since they trust that CA)

How to configure the PKI for code signing certificates:

https://blogs.technet.microsoft.com/deploymentguys/2013/06/14/signing-windows-8-applications-using-an-internal-pki/
Since we got no test environment set up whatsoever, that would be the 0.5 option

• Request a Code Signing certificate from a 3rd party, like for example over at Digicert


• Create a Self signed certificate.
  


• The instructions on https://docs.microsoft.com/en-us/windows/uwp/packaging/create-certificate-package-signing makes this very easy.


• Export the certificate from the certificate store and sign your packages with the certificate, and place the certificate in the trusted root of the machine on which you’re going to install the MSIX package.

What to do when

Focusing on AppX/MSIX there are four major scenarios present with different possibilities:

• Packaging

During packaging Codesigning can be bypassed via the Developer-Mode in Windows 10.

https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development

• Testing

Developer-Mode will not help during package testing. Best would be to Test-Sign the package internally with your own PKI infrastructure or a Self-Signed Certificate:

• Private Deployment

Private Deployment means deployment only on company owned and managed devices. In this case code signing using your PKI infrastructure is perfectly fine and the most stable implementation.

• Public Deployment

Having a public deployment on an AppX/MSIX package most likely means uploading it to Microsoft Store. Only once you need to create a developer account for your company, which will give you access to the required upload area. During the process of final package checks the package will automatically get signed and all Windows 10 Clients will trust the resulting package.



Ingmar Oosterhoff, Johannes Freundorfer and Matthias Herfurth