Signing process for MSIX/APPX build take a long time

[pok.lau]

The process to signing each of the individual .exe or .dll for MSIX/APPX build seems to take a very long time.

After the step that says

"Detecting MSIX/APPX incompatible resources"

The build seems to start signing .exe and .dll behind the scene (with signing enabled) and the process take a very long time. Using process monitor to dig into it, there seems to be sub-processes that copy the files into a temp folder, sign them, then move the signed copies to the cache for the final packing.

Question I have are
(1) Why does the build log not telling what it is trying to do? and
(2) This behaviour never exists in the MSI build and all .exe and .dll are being signed correctly within the .msi package, can the same mechanism be applied to MSIX/APPX build? and
(3) If not, can this step be improved so there less files being shuffled around and improve efficiency of the over all process?

[Daniel]

Hello and welcome to our forums,

Here are my replies inline:

(1) Please note that during an MSIX/APPX build the files are signed during "Creating resources.pri file(s)" build step and this is also logged. Have a look on the following screenshot:

Capture.JPG (74.38 KiB) Viewed 5426 times

(2) We do use the same signing mechanism for both type of builds so the difference in regards to the build time should not be generated by the signing operation. You get a different build time because during an MSIX build we also scan every file to be bundled into the MSIX package to check for incompatible resources. When doing so we do use some signing operation to detect possible incompatible PE files.

(3) I am not sure how much we can do in this case as the significant build time is extra required is imposed by the "Detecting MSIX/APPX incompatible resources" build step and for now this is the only implementation we can design for it.

All the best,
Daniel

[pok.lau]

Hi Daniel,

Thanks for the reply.

I believe the process of "some signing operation to detect possible incompatible PE files" happens depends on whether signing has been enabled or not?

Had a test on both scenarios and found the build took less than 1 minutes when signing is disabled.

Signing-disabled.png (79.56 KiB) Viewed 5423 times

And it took 21 minutes when signing is enabled.

Signing-enabled.png (77.6 KiB) Viewed 5423 times

Also, I am wondering if it is possible for the build time can be speed up when all the resources are 'compatible'? If so, what are the criterias that determine if a binary is compatible?

[Daniel]

Hello,

I believe the process of "some signing operation to detect possible incompatible PE files" happens depends on whether signing has been enabled or not?

Yes, this is right. This check is done only when the signing operation is enabled.

Also, I am wondering if it is possible for the build time can be speed up when all the resources are 'compatible'? If so, what are the criterias that determine if a binary is compatible?

I have just talked with our dev team about this and it seems you can skip the "Detecting MSIX/APPX incompatible resources" build step. To do so you should proceed like this:

1. open Advanced Installer application and go to "File -> Settings -> Package Validation" menu option
2. uncheck the "Enable UWP resource compatibility check" option

A binary selected to be signed we consider it UWP compatible if is a valid PE, more exactly if it can be successfully signed with SignTool.exe.

All the best,
Daniel