Share via


Signing an app package (Windows Store apps)

By default, all app packages that Visual Studio generates are signed with a test certificate. When you create a package, Visual Studio generates a folder that includes the signed package itself. The certificate (.cer) file that’s included in that folder contains the public key that’s used to sign the package. This key must be installed on the machine before the app package is installed.

Generating the Test Certificate

The certificate file (.pfx) is generated and added to your project when the project is created.

The certificate’s Subject field is set to the Publisher attribute of the Identity element of the source manifest (.appxmanifest) file.

  • If you create a local package, the default value of the Publisher attribute is your user name.

  • If you either create a package for the Windows Store or associate your app with it, the Publisher attribute is set to the Publisher ID that’s obtained from your developer account at the Store when you sign in during package creation.

The certificate creation process also adds a property to the project file:

<PackageCertificateKeyFile>
   RisingStar_TemporaryKey.pfx
</PackageCertificateKeyFile>

The value of the PackageCertificateKeyFile is the relative path or full path of the source certificate itself.

If the certificate is missing, it’s created when the package is built from the Store menu but not when the package is built at a comand prompt. When Visual Studio creates a certificate, the values of the following properties are set:

  • The value of the Basic Constraints extension is set to Subject Type=End Entity.

    Note

    The basic constraints extension identifies whether the subject of the certificate is a certificate authority (CA). This extension also defines the maximum depth of valid certification paths that include this certificate. The Basic Constraints property specifies whether the certified public key can verify certificate signatures.

  • The value of the Enhanced Key Usage (EKU) extension is set to Code Signing.

Certificates are valid for one year after the date when they were created. For information about how to renew a certificate, see Renewing a certificate.

Tip

If an error that's similar to "The certificate specified is invalid because it is expired or has another issue" appears during the signing process, use the Manifest Designer to create a test certificate that replaces the old one.

Validating Certificates

During packaging, Visual Studio validates the specified certificate in the following ways:

  • Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.

  • Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.

  • Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.

  • Verifies the existence of a private key exists.

  • Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.

In certain scenarios, you might need to more closely control which certificate is used, and, therefore, which validation checks are run against the certificate. The MSBuild property EnableSigningChecks controls which of the above certificate checks are performed. If you set the property to True (default), Visual Studio runs all the checks. If you set the property to False, Visual Studio performs the only following tasks:

  • Verifies whether a private key exists.

  • Verifies whether the value of the Enhanced Key Usage property contains Code Signing.

  • Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.

Note

When EnableSignignChecks is set to False, the PowerShell script might not work because the custom certificate might not comply with all the rules that are required for the script to install the app package. For more information, seeSharing an app package locally (Windows Store apps).

Choosing an alternate certificate

Visual Studio automatically creates a certificate when the project is created, but you can also create your own certificate or use an existing certificate to sign a package.

To create or use an alternate certificate

  1. In Solution Explorer, open the shortcut menu for the .appxmanifest file, choose Open With, and then choose App Manifest Designer.

  2. In the App Manifest Designer, choose the Packaging tab, and then choose the Choose Certificate button.

  3. In the Choose Certificate dialog box, expand the Configure Certificate list, and then choose one of the following options:

    • Pick from certificate store
      Pick one of your Personal certificates from the certificate store in the operating system.

    • Select from file
      Pick an existing certificate file from the file system.

    • Create test certificate
      Create a certificate with a Publisher ID of your choice. You can also create a password.

Whichever option you choose, a certificate file is added to the project and the PackageCertificateThumbprint and PackageCertificateKeyFile project properties are updated accordingly.

Note

If an error that's similar to "The certificate specified is invalid because it is expired or has another issue" appears during the signing process, use the Manifest Designer to create a custom certificate that replaces the old one.

Renewing a certificate

The default certificate that Visual Studio generates expires one year after the date on which the certificate was created. Before the certificate expires, you must use the App Manifest Designer to either regenerate the certificate or, as the previous procedure describes, provide a different, valid certificate.

To renew the certificate

  1. In Solution Explorer, open the shortcut menu for the .appxmanifest file, choose Open With, and then choose App Manifest Designer.

  2. In the App Manifest Designer, choose the Packaging tab, and then choose the Choose Certificate button.

  3. In the Choose Certificate dialog box, expand the Configure Certificate list, and then choose Create test certificate.

  4. In the Create test certificate dialog box, click the OK button.

    Visual Studio regenerates the certificate with a new expiration date.

Deleting or exporting a certificate

You might want to delete or export a certificate that has expired or that has been compromised, corrupted, or replaced by another certificate. For information about how to delete or export a certificate, see How to use the Certificates Console.

Modifying installed apps

If any files in an installed package are modified, signing verification might prevent the app from launching. To modify a package, make the changes in the original source files using a developer license, and then redeploy the modified package. For more information about developer licenses, see Get a developer license (Windows Store apps).

See Also

Concepts

Overriding a package manifest (Windows Store apps)

Packaging your Windows Store app using Visual Studio 2012