Create a Windows Store AppX package and sign it


You may be asked to deliver an AppX package to a customer so they can sign it themselves.  This walkthrough shows you how to do that.

Background

We cover how to do this in these articles: 

App packager (MakeAppx.exe)

How to create an app package signing certificate

How to sign an app package using SignTool

However putting all the pieces together can seem a little complex!

An AppX package is really just a zipped up bunch of files.  You can see this yourself by copying and then renaming the appx file by appending a .zip to the filename.  The example I am using is a blank C# Windows Store app built in release mode.  I created an app package (not for the store and navigated to the output location from this process:

image

and opened the sub folder in there:

image

and copied  then renamed the appx file by appending .zip to the file name and clicked on it to see what is inside:

image

So… it is a bunch of files in a zip package, to include an AppxSignature.p7x file.  You can see the .exe and some assets and metadata.

Walkthrough Creating an AppX package

So what magic does Visual Studio use to create this?  Using Process Monitor you can inspect and see what it is doing!  Start Process Monitor and then kick off creating an App Package (not for the store) and we will go through what Visual Studio does (in order to try this ourselves).  After generating the package stop tracing in Process Monitor and inspect what was logged in the output.

To save you some time, look for MakeAppX.exe process start and the command line used to kick it off:

Command line:    "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\MakeAppx.exe"  pack /l /h sha256 /f obj\Release\package.map.txt /o /p C:\Users\jsanders\Documents\MyCoolApp\MyCoolApp\AppPackages\MyCoolApp_1.0.0.0_AnyCPU_Test\MyCoolApp_1.0.0.0_AnyCPU.appx
Current directory:    C:\Users\jsanders\Documents\MyCoolApp\MyCoolApp\

OK so in theory I can kick this off and create the same package…

Creating an unsigned appx package

Opening a command prompt and navigating to Current directory above and entering the Command line (changed the output slightly to create a new package name ‘MyCoolApp_1.0.0.0_AnyCPUForJEFF.appx’) I get this:

image

Using the same trick of copying and renaming the file with a .zip extension I can open it and see it is very similar to the Visual Studio generated package:

image

The stuff that is missing is the code integrity information and the certificate.  You could pass this off to someone who could sign it themselves now.

How to sign the package

For the sake of completeness I will sign this package the same way Visual Studio does.  Again, back to our friend Process Monitor and look for Signtool.exe and look for the process starting and the startup parameters:

Command line:    "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /fd sha256 /f "MyCoolApp_TemporaryKey.pfx" "C:\Users\jsanders\Documents\MyCoolApp\MyCoolApp\AppPackages\MyCoolApp_1.0.0.0_AnyCPU_Test\MyCoolApp_1.0.0.0_AnyCPU.appx"
Current directory:    C:\Users\jsanders\Documents\MyCoolApp\MyCoolApp\

Again, using this information we will sign the package (JEFF version of course) and compare it.

image

image

Some people get confused and try to use a .CER file to sign the package.  That is incorrect!  You have to use a .pxf file.  You can generate a .pxf file from a .cer file however.  This is covered in detail (SO READ IT) in this article How to create an app package signing certificate.  Here are some sample commands to generate a self signed cert and converting it to a pxf file for signing (assumes you gave it a password of: pwd and the publisher name of your manifest is ‘Contoso.AssetTracker’):

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\MakeCert" /n "CN=Contoso.AssetTracker" /r /h 0 /eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" /e "12/31/2016" /sv MyKey.pvk MyKey.cer

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\Pvk2Pfx" /pvk  MyKey.pvk /pi "pwd" /spc MyKey.cer /pfx MyKey.pfx /po "pwd"

Conclusion

There is no mystery to this process and we do document the tools, but this may help you put it all together! 

Let me know if this was useful to you! 

Follow me @jsandersrocks and my team at @WSDevSol on Twitter.

More information

App packager (MakeAppx.exe)

How to create an app package signing certificate

How to sign an app package using SignTool

Process Monitor


Comments (3)

  1. fady says:

    what is this in the command C:UsersjsandersDocumentsMyCoolAppMyCoolAppAppPackagesMyCoolApp_1.0.0.0_AnyCPU_TestMyCoolApp_1.0.0.0_AnyCPU.appx

    if my app is created for the first time and i have not created any package before how i am going to create this

  2. fady says:

    can you please created a .bat file to automate this process and attach it with the post

  3. Alexander says:

    Hi Jeff,

    Thank you for a such great article. That was really helpful. The only thing is missing is a creation of .appxsym and .appxupload files. I wonder if you could shed some light on that.

Skip to main content