Create a Windows Store AppX package and sign it

Article
02/12/2014

You may be asked to deliver an AppX package to a customer so they can sign it themselves. This walkthrough shows you how to do that.

Background

We cover how to do this in these articles:

App packager (MakeAppx.exe)

How to create an app package signing certificate

How to sign an app package using SignTool

However putting all the pieces together can seem a little complex!

An AppX package is really just a zipped up bunch of files. You can see this yourself by copying and then renaming the appx file by appending a .zip to the filename. The example I am using is a blank C# Windows Store app built in release mode. I created an app package (not for the store and navigated to the output location from this process:

and opened the sub folder in there:

and copied then renamed the appx file by appending .zip to the file name and clicked on it to see what is inside:

So… it is a bunch of files in a zip package, to include an AppxSignature.p7x file. You can see the .exe and some assets and metadata.

Walkthrough Creating an AppX package

So what magic does Visual Studio use to create this? Using Process Monitor you can inspect and see what it is doing! Start Process Monitor and then kick off creating an App Package (not for the store) and we will go through what Visual Studio does (in order to try this ourselves). After generating the package stop tracing in Process Monitor and inspect what was logged in the output.

To save you some time, look for MakeAppX.exe process start and the command line used to kick it off:

Command line: "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\MakeAppx.exe" pack /l /h sha256 /f obj\Release\package.map.txt /o /p C:\Users\jsanders\Documents\MyCoolApp\MyCoolApp\AppPackages\MyCoolApp_1.0.0.0_AnyCPU_Test\MyCoolApp_1.0.0.0_AnyCPU.appx
Current directory: C:\Users\jsanders\Documents\MyCoolApp\MyCoolApp\

OK so in theory I can kick this off and create the same package…

Creating an unsigned appx package

Opening a command prompt and navigating to Current directory above and entering the Command line (changed the output slightly to create a new package name ‘MyCoolApp_1.0.0.0_AnyCPUForJEFF.appx’) I get this:

Using the same trick of copying and renaming the file with a .zip extension I can open it and see it is very similar to the Visual Studio generated package:

The stuff that is missing is the code integrity information and the certificate. You could pass this off to someone who could sign it themselves now.

How to sign the package

For the sake of completeness I will sign this package the same way Visual Studio does. Again, back to our friend Process Monitor and look for Signtool.exe and look for the process starting and the startup parameters:

Command line: "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /fd sha256 /f "MyCoolApp_TemporaryKey.pfx" "C:\Users\jsanders\Documents\MyCoolApp\MyCoolApp\AppPackages\MyCoolApp_1.0.0.0_AnyCPU_Test\MyCoolApp_1.0.0.0_AnyCPU.appx"
Current directory: C:\Users\jsanders\Documents\MyCoolApp\MyCoolApp\

Again, using this information we will sign the package (JEFF version of course) and compare it.

Some people get confused and try to use a .CER file to sign the package. That is incorrect! You have to use a .pxf file. You can generate a .pxf file from a .cer file however. This is covered in detail (SO READ IT) in this article How to create an app package signing certificate. Here are some sample commands to generate a self signed cert and converting it to a pxf file for signing (assumes you gave it a password of: pwd and the publisher name of your manifest is ‘Contoso.AssetTracker’):

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\MakeCert" /n "CN=Contoso.AssetTracker" /r /h 0 /eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" /e "12/31/2016" /sv MyKey.pvk MyKey.cer

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\Pvk2Pfx" /pvk MyKey.pvk /pi "pwd" /spc MyKey.cer /pfx MyKey.pfx /po "pwd"