Unpackage, modify, repackage, sign an APPX

If you are working on a desktop application that you want to release on the Windows Store by packaging it with the Desktop Bridge, you’ll know that one of the requirements is that your application should work fine also on Windows 10 S, the new Windows edition that was introduced on 2nd May 2017. We have already discussed on this blog how you can test if your application is compliant in the following article: Porting and testing your classic desktop applications on Windows 10 S with the Desktop Bridge - https://blogs.msdn.microsoft.com/appconsult/2017/06/15/porting-and-testing-your-classic-desktop-applications-on-windows-10-s-with-the-desktop-bridge/.

Nevertheless, a few word about the two modes:

  • The Audit mode enforces the Code Integrity checks for logging purpose only. That is to say that instead of raising exceptions (and crashes for you application) when unsupported Windows 10 S operations are performed, every failure is written in the Event Log: Application and Services Logs –> Microsoft –> Windows –> CodeIntegrity
  • The Production mode with the AppxTestRootAgency Store certificate exactly behaves like a real Windows 10 S box. The only difference is that this mode allows us to install apps signed with the AppxTestRootAgency provided by the Store team (direct link download).

However, you’ll know that the test phase, especially with the second mode, isn’t so easy to achieve, because you need to create a specific version of your package for this purpose (since the application needs to be signed with a special certificate, which means that also the publisher declared in the manifest must be changed). As such, let’s introduce some tools that will make your tests faster and easier!



For testing purpose, if you want to install an Appx package, you can double click on the Appx or use the AddAppxPackage Powershell command (even if, for the final round of testing, always make sure to use a real app package, as explained in the following blog post). This will work only if the Appx is signed using a trusted certificate. Usually when developing apps, the certificate is self-signed and it is not trusted on other computers. Of course, we can install it in the "Trusted People" store but it can be really time consuming for testers or IT departments if the number of apps and computers is big (Besides the fact that you have to ask the developer to send you the certificate).

The MakeAPPXForWin10S.cmd tool allows you to install any Appx for testing purpose on a Windows 10 computer in Developer mode without worrying about the certificate used for signing the app.

The only one certificate you will have to install on the Windows 10 test box is the AppxTestRootAgency certificate.


Here are what this tool does for you under the hood:

  1. It creates a new unique folder for extracting the Appx files
  2. It gets the content of the AppxManifest.xml in this folder. It modifies the Publisher identity to use the one provided by the AppxTestRootAgency certificate. It is: “CN=Appx Test Root Agency Ex”. Lastly, it saves the modified manifest
  3. It recreates the Appx file from the folder (with the modified AppxManifest.xml)
  4. It signs the Appx file with the AppxTestRootAgency certificate provided by the Store team





Let’s imagine the following scenario: you have used the previous MakeAPPXForWin10S.cmd script, then you have installed and tested the app and you have discovered that you are missing a content file or that the app failed the WACK because of bad images’ size for example. As such, to continue the testing phase, you must modify the files within the extracted Appx folder, recreate the package, sign it again, etc. Very time consuming, as you can imagine! Here is when the RepackageAPPXFolderForWin10S.cmd comes into the place! The tool takes the extracted app package (which, in the meantime, you have manually modified) and creates the signed Appx file out from it.


  1. Recreates the Appx file with the content of the DesktopBridge folder already extracted by the MakeAPPXForWin10S.Cmd
  2. Signs the Appx file with the AppxTestRootAgency provided by the Store team



The easiest way to use these tools is to clone the repo located at https://github.com/Microsoft/Windows-AppConsult-Tools-DesktopBridgeRePack. You will find in the RepackageForWindows10S folder the tools and the AppxTestRootAgency.pfx certificate needed for signing. You can then use the tools in a standard command line.

Happy Desktop Bridge and UWP packaging and repackaging!