WiX v5 is here! Let us help.

Signing MSIX Packages

Unlike MSIs, MSIX packages must be signed with a certificate that matches the Msix element's Publisher attribute before the package can be installed. In your .wixproj, you can override the SignMsix target that operates much like the SignMsi target.

If you have a certificate with the private key (usually in a .pfx file), you can use the SignMsixArguments MSBuild Property:

  <SignMsixArguments>/fd SHA256 /a /f path\to\your.pfx /p yourpfxpwd</SignMsixArguments>

For complete control over the signing process, you can override the SignMsix target in your .wixproj:

<Target Name="SignMsix">
  <Exec Command='"$(MsixSignTool)" sign /fd SHA256 /a /f path\to\your.pfx /p yourpfxpwd "@(SignMsix)"' />

Note: The signtool.exe included with the HeatWave Build Tools at $(MsixSignTool) has support for signing Msix packages. Older versions of signtool.exe may not and will fail so we recommend using the provided signtool or one from the latest Windows SDKs.

Create your own test certificate

If you don't have a certificate already, you can create a test certificate using the following PowerShell commands (borrowed from Microsoft's documentation):

New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("{text}", "{text}")
                          -Type Custom -KeyUsage DigitalSignature -Subject "<Your Subject Name>" -FriendlyName "Your friendly name goes here"

Remember the -Subject value must match the Msix element's Publisher attribute value. That command stores the certificate in your computer's certificate store, but we'll want to be able to take the certificate to other computers so remember the Thumbprint displayed by that command:

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
<Your Thumbprint>                         <Your Subject Name>  Code Signing

If you need to find the thumbprint later use the following:

Set-Location Cert:\CurrentUser\My
Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint

To export the private key certificate so we can sign anywhere use the following command to create a password protected .pfx file:

$password = ConvertTo-SecureString -Force -AsPlainText -String <Some Password>
Export-PfxCertificate -Password $password -cert "Cert:\CurrentUser\My\<Your Thumbprint>" -FilePath <Path\To\Save\Your.pfx>

To export the public key certificate so we can install our test signed package on other computers use:

Export-Certificate -cert "Cert:\CurrentUser\My\<Your Thumbprint>" -FilePath <Path\To\Save\Your.cer>

use the .pfx file to sign your .msix package. Add the .cer file to your test machine's "Trusted People" certificate store to allow you to install your test signed package.

The MSDN documentation is also quite good for this topic.