WiX v4 is here! Let us help.

Signing MSIX Packages

Unlike MSIs, MSIX packages must be signed with a certificate that matches the Msix element's Publisher attribute before the package can be installed. In your .wixproj, you can override the SignMsix target that operates much like the SignMsi target.

For example add the following to the bottom of your .wixproj, just above the final </Project> element:

<Target Name="SignMsix">
  <Exec Command='"$(WixToolPath)\x86\signtool.exe" sign /fd SHA256 /a /f path\to\your.pfx /p yourpfxpwd "@(SignMsix)"' />

Note: The signtool.exe included with WEP at "$(WixToolPath)\x86\signtool.exe" has support for signing SignMsix packages. Older versions of signtool.exe may not and will fail so we recommend using the provided path.

Create your own test certificate

If you don't have a certificate already, you can create a test certificate using the following commands:

"C:\Program Files (x86)\Windows Kits\10\bin\x86\makecert.exe" /n "CN=Your Company Subject" /r /h 0
   /eku "," /e 12/12/2018 /sv path\to\your.pvk path\to\your.cer

That command will prompt you to provide a password for the resulting certificate. Use that password in the next command line:

"C:\Program Files (x86)\Windows Kits\10\bin\x86\Pvk2Pfx.exe" /pvk path\to\your.pvk /pi YourPasswordFromStepAbove
   /spc path\to\your.cer /pfx path\to\your.pfx

This will result in the .pfx file you can use to sign your .msix package. The .cer file from the first step should be added to your test machine's "Trusted People" certificate store to allow you to install your test signed package.

The MSDN documentation is also quite good for this topic.

There is also an option using PowerShell that is now recommended over makecert.exe. But we're a bit old fashioned and still like to use cmd.exe.

It is important to ensure that the value in your Msix/@Publisher attribute match the "CN=Your Company Subject" in the makecert.exe command-line. If those don't match you will get very cryptic error messages when signing.