Unlike MSIs, MSIX packages must be signed with a certificate that matches the Msix
element's Publisher
attribute before the package can be installed. In your .wixproj, you can override the SignMsix
target that operates much like the SignMsi
target.
If you have a certificate with the private key (usually in a .pfx file), you can use the SignMsixArguments
MSBuild Property:
<PropertyGroup>
<OutputType>Msix</OutputType>
<SignOutput>true</SignOutput>
<SignMsixArguments>/fd SHA256 /a /f path\to\your.pfx /p yourpfxpwd</SignMsixArguments>
</PropertyGroup>
For complete control over the signing process, you can override the SignMsix
target in your .wixproj:
<Target Name="SignMsix">
<Exec Command='"$(MsixSignTool)" sign /fd SHA256 /a /f path\to\your.pfx /p yourpfxpwd "@(SignMsix)"' />
</Target>
Note: The signtool.exe
included with the HeatWave Build Tools at $(MsixSignTool)
has support for signing Msix packages. Older versions of signtool.exe
may not and will fail so we recommend using the provided signtool or one from the latest Windows SDKs.
If you don't have a certificate already, you can create a test certificate using the following PowerShell commands (borrowed from Microsoft's documentation):
New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
-Type Custom -KeyUsage DigitalSignature -Subject "<Your Subject Name>" -FriendlyName "Your friendly name goes here"
Remember the -Subject
value must match the Msix
element's Publisher
attribute value. That command stores the certificate in your computer's certificate store, but we'll want to be able to take the certificate to other computers so remember the Thumbprint displayed by that command:
Thumbprint Subject EnhancedKeyUsageList
---------- ------- --------------------
<Your Thumbprint> <Your Subject Name> Code Signing
If you need to find the thumbprint later use the following:
Set-Location Cert:\CurrentUser\My
Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint
To export the private key certificate so we can sign anywhere use the following command to create a password protected .pfx file:
$password = ConvertTo-SecureString -Force -AsPlainText -String <Some Password>
Export-PfxCertificate -Password $password -cert "Cert:\CurrentUser\My\<Your Thumbprint>" -FilePath <Path\To\Save\Your.pfx>
To export the public key certificate so we can install our test signed package on other computers use:
Export-Certificate -cert "Cert:\CurrentUser\My\<Your Thumbprint>" -FilePath <Path\To\Save\Your.cer>
use the .pfx file to sign your .msix package. Add the .cer file to your test machine's "Trusted People" certificate store to allow you to install your test signed package.
The MSDN documentation is also quite good for this topic.