How to digitally sign the installation files of the desktop bridge app?

Question

This problem may not be as simple as the title says, because for some reason, I am not authorized to have a certificate, and I can only give the program (not the code) to another person for digitally sign. I'll elaborate on the following.

What I already know is that after I upload the app to MS store, Ms store will automatically sign my app, but it seems that it will only sign the msixbundle file. because in this path: C:\Program Files\WindowsApps\[AppName]_[AppVersion]_neutral__[PackageID], I can see my DLL files and exe files - but these files are not signed, unless the DLL has been signed before uploading the app to the store, for example, Newtonsoft.Json.dll in the directory is signed, but my own [appname].exe file is not signed.

So, the question is: how can someone else sign my desktop bridge app installation files using signtool.exe without having my code?

Maybe this can't be achieved, but please tell me the solution, thank you.

Answer 1

To sign .msixbundle I use this command line:

   "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" sign /fd SHA256 /sha1 <certificate thumbprint> <path to .msixbundle file>  

• <certificate thumbprint>: is a field of the signing certificate
• <path to .msixbundle file>: this should be obvious

in "C:\Program Files (x86)\Windows Kits\10\bin\" there is a dir for each target platform version (..., 10.0.17134.0, 10.0.17763.0, 10.0.18362.0), I choose the one that match with the current TargetPlatformVersion of the UWP project.

To sign .exe, this works for me.

   "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" sign /fd SHA256 /sha1 <certificate thumbprint> <path to .exe file>  

To sign the .exe files inside .msixbundle you have to unbundle the .msixbundle, and to unpack each .appx file inside the .msixbundle:

unbundle command:

   "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\MakeAppx.exe" unbundle /p <path to .msixbundle file> /d <unbundle dir>  

then unpack all your .appx files to reach the .exe

   "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\MakeAppx.exe" unpack /l /p <path to .appx file> /d <unpack dir>  

After you sign the .exe with the command above you have to repack the appx

   "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\MakeAppx.exe" pack /o /l /d <unpack dir> /p <new .appx file>  

and then you have to bundle .appx again

   "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\MakeAppx.exe" bundle /v /o /d <unbundle dir> /p <new .msixbundle file>  

And at the end sign the .msixbundle

To understad these command line tools, I read the documentation. Here some links, you can use also the command line help using /?

• https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe
• https://learn.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-sign-a-file
• https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
• https://learn.microsoft.com/en-us/windows/msix/package/create-app-package-with-makeappx-tool