This page can be used to digitally sign your Windows Store App package. In order to digitally sign the package, you will need a valid certificate.
Checking this checkbox will enable the actual signing of the package.
This button can be used to clear all fields.
Use the built-in signing tool.
Select a custom signing tool.
Enter a command line for the above cutom signing tool.
Software Publisher Certificate
Use certificate from system store
Choose one of the currently installed certificates.
<Most suited certificate> - When this value is selected, "SignTool.exe" will sign the files with the best certificate found in the system certificates store.
To view or manage certificates inside the system store, you can use certmgr.msc tool (Press Windows Key + R, type "certmgr.msc" and press enter).
Use file from disk
When this option is selected the certificate used to sign the files is loaded from a local disk file. Every time you select this option, you will be prompted to select the path to the certificate from the hard-drive.
Certificate - This field contains the path on disk to the certificate. You can use thebutton in this field to select one from your hard-drive.
PFX certificates are recommended, you can use either pvkimprt or pvk2pfx to create a PFX certificate from the SPC and PVK files. If the PFX file is protected with a password, the “Selected certificate requires password. Select how to transmit it to signing tool:” section will be visible.
- pvk2pfx is available as part of the Platform SDK.
Private Key - In this field you can set the “Private Key”. You can use thebutton to select one from your hard-drive. PFX certificates do not have a separate private key file, thus this field is hidden by default.
Enter password each time project is built - You will be prompted to enter the password when the AppX package is built.
Advanced Installer caches the password for PFX files and hence you will be prompted for the password only once.
Store encrypted password in project file - The encrypted password will be stored in the project and used at build time to sign the installation files. This option is useful for unattended builds.
Password - The password for the PFX certificate.
Confirm password - Confirm the PFX certificate password.
Use from Azure Key Vault
To better understand this feature see this article: Azure Key Vault basic concepts.
Signing using a certificate from Azure Key Vault only works on Windows 10.
The Azure active directory where Key Vault resides. This field is mandatory!
The ID of the Azure application that has access to Key Vault. This field is mandatory!
The name of the Key Vault. This field is mandatory!
The name of the certificate stored in the Key Vault. This field is mandatory!
A certificate stored in a Key Vault can have multiple versions. The string stored in this field identifies a version.
When a file is signed, the user will be prompted to enter the Client secret associated with the application identified with ID - App ID. The Client secret is not stored in the project file.
Using command line
When using Advanced Installer from command line, you can set the Client secret using the following command: SetAzureKeyVaultSecret
Due to the fact that the Client secret is not stored in the project file, SetAzureKeyVaultSecret command can be used only from a .AIC command file.
For increased security, the Client secret can be stored in an Environment variable using -secret_is_env_var_name switch. With this switch, the command will interpret that the name entered as a parameter is an environment variable.
The Azure Key Vault certificate subject can be synchronized with the MSIX Publisher ID. To achieve this you must press the Synchronize button from Publisher Section of Package Information page. At build time the subject - publisher ID mismatch is detected automatically.
Use Device Guard for signing
Device Guard signing only works on Windows 10.
To sign a package with Device Guard you need an Azure account configured for Device Guard signing. For more information regarding the configuration see this article: Sign an MSIX package with Device Guard signing
The Publisher ID from Package Information Page must adhere to the following format: CN=account_name.onmicrosoft.com
Using command line
You can set Device Guard sign account name and password using the following command: SetMsActiveDirectoryCredentials.
SetMsActiveDirectoryCredentials command can only be used from a .AIC command file due to the fact that the password is not saved in the project or the registry.
Example of a command file
SetMsActiveDirectoryCredentials -username user_name -password account_password [-password_is_env_var_name] build -buildslist Build_MSIX_APPX -force
Optionally, instead of the actual password, you can specify an environment variable where the password is stored, using the optional command line parameter [-password_is_env_var_name]
If the account is not properly configured for Device Guard signing, signing a file could trigger an error that can imply that the timestamp can't be applied.
Signature properties are required to display the exact AppX package name on the UAC prompt.
This field contains the signed content's description. It will be shown by the Windows UAC after you click the "Install" button.
This field contains a URL for a complete description of the signed content. The URL will be used when the package is launched from an untrusted location (for example from the network) in the "Open File - Security Warning" dialog, where the "Name" field will become a link to the URL you specified.
Timestamp service URL
A digital certificate has a validity period. After that period expires the signed code is not considered certified anymore. To prevent that a Time Stamp can be placed at the signing time which will show that the certificate was valid when the signing was done.
The “Time Stamp URL” specifies the URL of the time stamp server. This URL points to a DLL located on a server that is used for this purpose. An example of such a server is:
Signing AppX packages is supported only on Windows 8 or later OS.
Timestamp delay (ms)
In this field you can configure how many milliseconds Advanced Installer will wait between two consecutive signing operations