Menu Close

Signing MSIX packages with Device Guard

MSIX Hero 1.5.0 can sign packages with Device Guard Signing Service. According to Microsoft:

Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. It enables enterprises to guarantee that every app comes from a trusted source

To use Device Guard Signing, make sure to be signed up for Microsoft Store for Business or Microsoft Store for Education. In the Microsoft Store for Business (or or Microsoft Store for Education), assign yourself a role with permissions necessary to perform Device Guard signing.

To configure the feature in MSIX Hero, visit the new section of the Signing tab in the Settings window:

Sign-in using your Microsoft credentials by pressing the Sign in with Microsoft button.

MSIX Hero will perform a few checks to ensure that the user is allowed to sign.

Security considerations: Your login credentials are not stored anywhere. The whole communication, authentication and authorization is delegated to the Microsoft Authentication Library. The tokens will not be persisted anywhere once you are finished with signing.

Once authenticated, MSIX Hero checks if you are allowed to sign, and determines your publisher name. That’s it, you can now sign your packages.

More information about Device Guard signing can be found here: Note that big parts of the official documentation do not apply to MSIX Hero, which does a lot of heavy-lifting under-the-hood, requiring only the minimal one time configuration.

At the time of writing, both version 1 and version 2 of the API are supported. Bear in mind, that the first version is going to be deprecated soon. The version 2 is used by default.

Automating the process

MSIX Hero has a command line interface which can be used to perform all these steps without UI (for example for continuous integration or automation purposes). There is a dedicated article available, which explains how to use the command line for these tasks: