Menu Close

Tag: dgss

MSIX Hero 1.5.0 – Device Guard Signing

A long awaited feature – Device Guard Signing – has arrived in MSIX Hero 1.5.0. This and some further improvements are described below:

Sign packages with Device Guard Signing Service

MSIX Hero 1.5.0 can sign packages with Device Guard Signing Service. According to Microsoft:

Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. It enables enterprises to guarantee that every app comes from a trusted source

To use Device Guard Signing, make sure to be signed up for Microsoft Store for Business or Microsoft Store for Education. In the Microsoft Store for Business (or or Microsoft Store for Education), assign yourself a role with permissions necessary to perform Device Guard signing.

To configure the feature in MSIX Hero, visit the new section of the Signing tab in the Settings window:

Sign-in using your Microsoft credentials by pressing the Sign in with Microsoft button.

MSIX Hero will perform a few checks to ensure that the user is allowed to sign. Once authenticated, MSIX Hero will check if you are allowed to sign, and will also determine your publisher name (certificate subject used for signing).

That’s it, you can now sign your packages.

Security considerations: Your login credentials are not stored anywhere. Authentication and authorization is delegated to the Microsoft Authentication Library. If you decide to configure default MSIX Hero signing method to be Device Guard, a stateless token and your desired publisher name will be saved in your profile, in an encrypted form. These tokens do not contain your user or password (encrypted or not) but they are sufficient to sign without asking for credentials each time.

More information about Device Guard signing can be found here: Note that big parts of the official documentation do not apply to MSIX Hero, which does a lot of heavy-lifting under-the-hood, requiring only the minimal one time configuration.

At the time of writing, both version 1 and version 2 of the API are supported. Bear in mind, that the first version is going to be deprecated soon. The version 2 is used by default.

Command line signing with Device Guard

MSIXHeroCLI.exe can also sign with Device Guard. This works in one of three ways:

  • The user uses default settings from the current configuration (log-in performed once from the UI, subsequent signings are “silent”)
  • The user triggers signing and interactively provides the required credentials.
  • The user performs a signing by specifying the path to the authorization token (JSON). It is up to create and maintain the token file.

All these options are described in details in the documentation: Signing an MSIX package (sign).

Disable automatic publisher updates

CLI verb sign has now an extra parameter --noPublisherUpdate which – when present – prevents MSIX Hero from manually adjusting publisher names based on the certificate subject. In this case, an error will be returned if the certificate subject does not match the publisher name. Omitting the parameter (recommended) will ensure that the values are always in sync.

The setting is now also present in the UI

Other changes

  • Tabs in the Settings window are now showing an error indicator in case of incomplete data.
  • In the selector of the default certificate for signing, a default option “No certificate” is now available.
  • A problem with wrong path to default JSON editor after changing program’s settings has been fixed.
  • Many smaller UI improvements.


The app will be updated automatically in a few hours if you installed it from app installer file. New users can download MSIX Hero from the Download page.