Introduction to code signing
All Windows 10 packages must be digitally signed so that they can be deployed. The process of signing requires, that the user is in the possession of a valid code signing certificate.
Certificates for code signing are certificate with a specific purpose, which are used to ensure that the content (in unchanged form) comes from a developer or an entity who posses the matching, non-public key. To ensure that the publisher or publishing authority should be trusted, the certificate must be trusted. By default, Windows 10 trusts certificates from most of the certificate authorities that provide code signing certificates.
Code signing certificates are not free, and require extended validation of the certificate authority. This is why for test and demo purposes usually self-signed certificates are used. Self-signed certificates can be created by anyone, and as long as they are trusted on a give computer, the software signed with them can be installed and will be trusted exactly as the one with a production certificate.
MSIX Hero can automate both activities:
- It can create own certificates
- It can configure your system to trust them
Both steps are fully required in order to work with MSIX.
Any public version of MSIX Hero has this functionality onboard.
Creating a certificate
Head to Certificate ribbon, and click Create self-signed…
This opens a dialog, where some basic values are required:
- Publisher friendly name
This is the name that will appear to the end user. It may contain special and accent characters. The value is required.
- Publisher name
This is a distinguished name of the publisher. It must be a valid DN string (for example CN=MyName). It is important, that the certificate publisher name and the MSIX package name must be equal in order to sign the package with a specific certificate. If you sign MSIX packages with MSIX Hero, the program will automatically take over the value of the publisher name from your certificate and write it as a publisher of MSIX packages.
A password used for signing. The password has to be provided later on for each signed package.
- Output path
The folder where the files will be saved.
Once everything is ready, press Generate certificate. After a few seconds, a confirmation will be shown:
You can open the folder where the data is saved (the first link) or import the certificate to the Personal store (per-machine). Note: UAC dialog will be shown, as this operation requires extra permissions.
You can still sign your packages even if the certificate is not imported to the store, but you will not be able to install any signed app if its publisher is not trusted.
The content that will be created for you consists of three files:
- Certificate file (.cer)
The certificate file – this file can be made publicly available, and is used to import the package to a trusted store – a process of making the Publisher “trusted”.
- Password protected certificate (.pfx)
A container that contains both the public and private part. This file should be kept secret. You can import it to the certificate store to be able to sign with it, or use it directly during signing. Anyone in the possession of a PFX file and matching password can sign with the associated key.
- Open-text password (.pwd)
A small text file with open-text password. This file is created for your convenience, you should remove this file or keep it private.
Trusting the publisher
To trust a publisher, you need a certificate file (.cer), for example the one created in the previous step. In the Certificates ribbon, click Install certificate…:
You will be asked to select a
.cer file. Once this is done, an UAC dialog may be shown, as the operation requires special permissions. After a few seconds, the certificate should be imported:
With MSIX Hero, it is easy to create an own trusted certificate and use it for package signing. You can also import any
.cer file and mark it as trusted, which is a great option for testing and learning of MSIX-related stuff.