How to sign MSIX package (with MSIX Hero)

MSIX deployment stack requires that every package is digitally signed. Not doing it, or modifying an already signed package sooner or later ends with this:

The package is not signed, has a broken signature or the certificate is not trusted.

Package which is not trusted (as seen above) is not installable. The error is shown when trying to install an APPX or MSIX package which either :

  • Is not signed at all, or
  • Used to be signed, but due to unauthorized changes the signature is invalid, or
  • Is signed by an untrusted certificate.

Digital signing on Windows is not a rocket since, but still a bit tricky for APPX and MSIX packages. Aside of complex command-line of signtool and even a simple posessing of a valid certificate, the certificate subject must be kind of “imprinted” into the package manifest. Signing will fail if the publisher (from manifest) and the subject (from certificate) are not equal. And you will sign a lot, in fact after every single change in manifest or package files.

MSIX Hero makes signing and re-signing of packages piece of cake.

Getting certificates

The first question is where to get the certificate for signing from. Enterprises usually have a certificate trusted by a chain which ends up somewhere in a trusted root authority, or they use self-made certificates which are then deployed and trusted on each computer. The part that is actually distributed is only a public part of a certificate, which is not sufficient for package signing. Without access to the private key, password and/or hardware cryptography module, chances are that a dev certificate (PFX or installed in a cert store) or a dummy one (self-signing) will be still required for development and/or package testing.

If you already have a certificate (including its private key and necessary password or hardware token), you can skip the following description and move on to the actual signing.

Creating self-signed certificate

MSIX Hero has a simple certificate generator which lets you create and optionally import a test certificate in a matter of seconds. After opening MSIX Hero, press Tools > Code-signing > Create self-signed... A dialog with a few values will be shown.

Update: In version, the dialog has been moved to Certificates > Code signing > Create self-signed…

Provide values the way you would like for them to be displayed. Publisher Distinguished Name must be using a special syntax (DN), but for testing just one level in format CN=<My Name> is just enough. Once all values are fine, press the Generate certificate button to save the files:

MSIX Hero creates three files:

  • *.pfx – containing private key for signing. Usually, this file should be kept secret, you should send it together with password only to people who would be then able to sign with the newly created certificate.
  • *.cer – containing the public part, which you can freely distribute and import to a trusted store
  • *.pwd – a text file with open-text password. You can delete this file, it is created just in case you forget the password after a few days of playing with MSIX 🙂

The certificate is generated, but it is not trusted by your computer. If you want to test the deployment (you do, don’t you?) make sure to import in on the target machine. You can also import the certificate to your Personal store, so that in future you will not be required to specify path to PFX or password anymore.

Signing and re-signing

Having a valid and trusted certificate, digital signing of MSIX is easy. With MSIX Hero you can sign and re-sign one or more packages at once. To do it, press Tools > Code-signing > Sign package…. You will be asked to select an MSIX package. Once a package is selected, a dialog is shown:

In the first tab, the selected package should be already listed. You can add more packages here or use drag and drop feature to drop items to the list.
In the Signature tab, the details of certificate used for signing are to be configured. You can select a PFX file (for example creates by MSIX Hero, see the previous step) or select a certificate from Personal Store.

It is also recommended to configure time stamping server URL if you want your packages to be still digitally signed and accepted even after the original certificate is expired. The default value provided by MSIX Hero should be fine, but you can change it to any preferred time stamp URL if needed.

Once ready, press Update selected packages to sign the package(s). The green check mark informs that the signing succeeded. Let’s verify this by verifying the properties:

The package is now signed, and the certificate is trusted by this computer. You can now install it without signature errors.

This concludes this short tutorial. Signing and changing signatures of MSIX packages became much easier with MSIX Hero.

Leave a Reply