Menu Close

How to sign MSIX packages?

Signing MSIX packages is something which is a new challenge for packages coming from classic packaging world, including Windows Installer. Basically, abstracting technicalities out of it, the following points must be considered:

  1. Basically, every package must be signed.
    • This does not only cover production, but also test packages.
    • Except of using a concept of developer registration, it is not possible to turn this off and install MSIX packages even for testing or just playing with the technology.
  2. The certificate must be digitally trusted on the target device (where the package will be installed)
  3. There is a strong dependency between the certificate used for signing and the package content. You cannot use just any certificate – for the signing to work, the certificate subject must be 100% the same as the publisher name defined in the MSIX manifest.
    • This means, that if an MSIX package can be signed with a certificate A, it will not work with ceritificate B with a different subject name. Before signing, it may be required to update the manifest, knowing the certificate properties upfront.
    • This is not quite what EXE or MSI signing is like, where any code-signing certificate works with any file supporting digitial signatures.

This guide is just a quick walkthrough of signing with MSIX Hero. It does not try to explain the pretty complex theory of digital signing.

Prerequisites

In order to sign a package, you have to prepare the following:

  • The package itself, already in MSIX format. You can use MSIX Hero to convert from a folder, or MSIX Packaging Tool or any other commercial tool to get an MSIX file.
  • The digital certificate. It can be:
    • in a form of a .pfx file, which contains both public and private keys required for signing. If this is the case, you will also need a matching password.
    • a certificate imported to the Personal store (for example utilizing hardware cryptography module)
    • An account which has a role Device Guard signer, in which case the files are signed by a dedicated feature of Device Guard.
  • The timestamp server. Time stamp is used to ensure that the package was signed using a valid certificate at the time of timestamping. This way, even if the original certificate is already expired, packages signed by it are still visible as signed and their content is still trusted. Providing a time stamp server is optional (albeit highly recommended).

Getting the certificate

For newcomers in MSIX world, usually the second requirement is the most difficult. While many enterprises have already a proper infrastucture in place, the access to private key for many may be questionable. Similarly, for environments where code-signing is not a practise, this paradigm may be initially overwhelming.

For testing, troubleshooting and learning, we may go for another path, called self-signing. Self-signing is a process of creating a new certificate from scratch from otherwise untrusted authority (you). Since such certificate is not trusted by any recognized authority, it must be manually imported on each device that needs to trust it.

If your enterprise is relying on self-signed certificates, the certificates will be distributed by a managed solution (deployment system), and you will never import them manually.

MSIX Hero can help you with both creating and importing a certificate:

  1. To create a new self-signed certificate, open Certificates ribbon and select Create self-signed. Provide a few details, and your first certificate will be ready.
  2. To import the certificate, either double click the file, or use another button Install certificate… from the same ribbon.

Signing

To sign a package, press Sign package… button which is located in the Edit ribbon. MSIX Hero will ask for a source package, which you can do immediately or later.

In the new dialog, there is going to be a set of options available:

  • The Packages tab should already have a single package that you have just selected. You can go there and add more packages (for bulk signing).
  • The Certificate tab is the place where you select the certificate that will be used for signing. You can either select a .pfx file (see previous chapter if you do not have one yet), or select a certificate which is installed together with a private key on the current machine (pictured above).
  • The Adjustments tab, where some extra adjustments may be defined. You can opt-in for a version adjustment, by increasing the major, minor, revision or the build component.

If required, provide a password. You should also specify the timestamp server (use default value if not sure about it).

Once all information are there, press Update selected packages to start signing. When using hardware cryptography with PIN, a PIN window may be shown prompting you to enter it. Once the process is finished, you will see a confirmation message.

The package is now saved, and its manifest has been updated accordingly.

Next steps

  • Import certificate (with only publish key information) on a target device (this can be done manually, or again with a help of MSIX Hero),
  • Install the package with PowerShell, App installer or MSIX Hero.

Automating the process

Starting from version 1.0, MSIX Hero has a command line interface which can be used to perform all these steps without UI (for example for continuous integration or automation purposes). There is a dedicated article available, which explains how to use the command line for these tasks:

Device Guard

MSIX Hero 1.5.0 can sign packages with Device Guard Signing Service. According to Microsoft:

Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. It enables enterprises to guarantee that every app comes from a trusted source

https://docs.microsoft.com/

There is a separate article which describes how to configure and use this feature: