MSIX Digital Signing

Written by Radu Popescu · October 4th, 2019

If you did not know this yet, all MSIX application packages must be digitally signed. There is no exception. Nowadays, we can all agree that cybersecurity is crucial. Therefore Microsoft decided to assist in this matter by enforcing the digital signature of the MSIX. If you have an MSIX package that is not digitally signed, and you try to install it, it will fail.

There are two main methods to digitally sign an MSIX package plus one additional method used for internal company apps.

1.Publish to Microsoft Store

Publishing your MSIX package to Microsoft Store is the easiest thing to do since you don’t need to digitally sign it. After you submit your application to the Store, Microsoft evaluates it and runs the necessary checklist: Security tests, Technical compliance tests, Content compliance. After the tests are passed, Microsoft automatically certifies your MSIX application and sign it.

2.Certified vendor sign

The first step in signing your MSIX application using a certificate from a trusted CA (Certified Authority) guessed it: acquire a certificate from a CA (such as Entrust Datacard, VeriSign/Symantec, DigiCert, Comodo, GoDaddy, and GlobalSign).

ImportantSHA256 hash algorithm is mandatory for digitally signing MSIX packages, SHA1 is not considered as valid by the OS. So, make sure you select the SHA256 algorithm when you order your certificate.

Now, to sign the MSIX package, you need the Windows SDK. Inside the SDK, you can find SignTool.exe, the command-line utility that Microsoft recommends for digitally signing. Windows SDK can be downloaded from here. Make sure you checkmark Windows SDK Signing Tools for Desktop App.

Advanced Installer comes with SignTool bundled and a dedicated GUI, to simplify your digital signing process.

  • From Product Information in the left pane, navigate to Digital Signature
  • Here you have to Enable Signing and under Software Publisher Certificate, select Use file from disk then simply browse to your certificate file location.

If you don’t have Advanced Installer, you can sign your package using with SignTool using the following command line :

SignTool sign /fd SHA256 /a /f signingCert.pfx /p password caphyonapp.msix

If you want to time stamp the app package (highly recommended otherwise your digital signature will not be considered valid once the certificate expires), this is the time when you must do it using the following command line:

SignTool sign /fd hashAlgorithm /a /f signingCert.pfx /p password /tr timestampServerUrl caphyonapp.msix

For additional information about SignTool, check out this link.

3.Internal Self-Signed Certificate

As we mentioned at the beginning of this article, for internal company apps or other tests, you can use a self-generated certificate that can be used to digitally sign your MSIX packages. However, there are some things to consider.

  • One thing that you need to keep in mind is that this certificate must be present on the targeted machine, where the package has been deployed in order for the OS to allow package installation.

This can be done by deploying the CA via group policy or any other preferred deployment method. Just make sure the certificate is stored under “Local Machine -> Trusted Root Certification Authorities” certificates store or by manually installing (double click the certificate) the certificate on the specific machine.

  • Another thing that needs to be done on the targeted machine is to enable Sideloading (starting with Windows 10, update 2003 this option will be enabled by default). To do that, follow the below steps :
    1.Open the Settings app
    2.Click on Update & security
    3.Click on For developers
    4.Under "Use developer features," select the Sideload apps option

Now, that we know the requirements for installing a self-signed application on a machine, let’s see some ways of self sign it.

  • Direct self-sign with Advanced Installer

From the same window that we used earlier to sign the package with a vendor certificate, we now choose Use from Personal certificate store and click on Create

NoteAdvanced Installer uses CertMgr.exe for this operation. Make sure you have it on the machine. CertMgr.exe is not available anymore as a standalone download but can be found in Windows SDK 7.

  • Sign using the SignTool command line in the same manner as described above with a vendor certificate
  • Sign an MSIX package with Device Guard signing

By the time of writing this article, this method is not yet released. It can only be used with Windows 10 Insider Preview Build 18945 or newer.These changes allow sign tool to interact with Device Guard Signing to remotely sign packages specific to your Azure AD tenant. A user can be enabled with signing permissions and can then auth with their Azure AD identity and sign their packages.

For full instruction, check out official Microsoft release here.