question

Victor-Chen avatar image
0 Votes"
Victor-Chen asked Victor-Chen commented

How to digitally sign the installation files of the desktop bridge app?

This problem may not be as simple as the title says, because for some reason, I am not authorized to have a certificate, and I can only give the program (not the code) to another person for digitally sign. I'll elaborate on the following.

What I already know is that after I upload the app to MS store, Ms store will automatically sign my app, but it seems that it will only sign the msixbundle file. because in this path: C:\Program Files\WindowsApps\[AppName]_[AppVersion]_neutral__[PackageID], I can see my DLL files and exe files - but these files are not signed, unless the DLL has been signed before uploading the app to the store, for example, Newtonsoft.Json.dll in the directory is signed, but my own [appname].exe file is not signed.

So, the question is: how can someone else sign my desktop bridge app installation files using signtool.exe without having my code?

Maybe this can't be achieved, but please tell me the solution, thank you.

windows-uwp
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, does the following method help? Have you solved your issue? If it is helpful, you can mark it as answer to help others who have the same issue.

0 Votes 0 ·

1 Answer

danielescipioni avatar image
0 Votes"
danielescipioni answered Victor-Chen commented

To sign .msixbundle I use this command line:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" sign /fd SHA256 /sha1 <certificate thumbprint> <path to .msixbundle file>


  • <certificate thumbprint>: is a field of the signing certificate

  • <path to .msixbundle file>: this should be obvious

in "C:\Program Files (x86)\Windows Kits\10\bin\" there is a dir for each target platform version (..., 10.0.17134.0, 10.0.17763.0, 10.0.18362.0), I choose the one that match with the current TargetPlatformVersion of the UWP project.

To sign .exe, this works for me.

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" sign /fd SHA256 /sha1 <certificate thumbprint> <path to .exe file>


To sign the .exe files inside .msixbundle you have to unbundle the .msixbundle, and to unpack each .appx file inside the .msixbundle:

unbundle command:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\MakeAppx.exe" unbundle /p <path to .msixbundle file> /d <unbundle dir>


then unpack all your .appx files to reach the .exe

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\MakeAppx.exe" unpack /l /p <path to .appx file> /d <unpack dir>


After you sign the .exe with the command above you have to repack the appx

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\MakeAppx.exe" pack /o /l /d <unpack dir> /p <new .appx file>


and then you have to bundle .appx again

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\MakeAppx.exe" bundle /v /o /d <unbundle dir> /p <new .msixbundle file>


And at the end sign the .msixbundle

To understad these command line tools, I read the documentation. Here some links, you can use also the command line help using /?

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much for your reply. I tried to sign the msixbundle file with your command, which was successful. But after installing the app, I still saw that the EXE file was not signed in the installation folder.

This is the command I use:

 cd C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\
 .\signtool.exe sign /fd SHA256 /f D:\TemporaryKey.pfx /p password D:\\AppName_AnyCPU_Debug.msixbundle
0 Votes 0 ·

Just to be sure: how do you see that your .exe file is not signed? Maybe you refer to the process that creates a strong name for your .exe file, that usually is done at build time enabling option "Sing the assembly" in the project properties. If you are referring to the strong name then this document https://docs.microsoft.com/en-us/dotnet/standard/assembly/delay-sign should help to do what you need.

0 Votes 0 ·

Thank you for your reply. I use this method to determine whether the file is signed: Task Manager -> open file location -> right click EXE file -> properties -> digital signature. I don't think the strong name is what I want, but what is more suitable for me is to use makeappx to package the signed exe and DLL files into msixbundle. Do you have any tools about makeappx? Because those commands looks too complicated.

0 Votes 0 ·
Show more comments