Digital Signature

This page can be used to digitally sign your Windows Store App package. A valid certificate will be required in order to digitally sign the package.

Enable signing

You will be able to sign the package by checking this checkbox.

Reset All

This button can be used to clear all fields.

Software Publisher Certificate

Use certificate from system store

Choose one of the currently installed certificates.

<Most suited certificate> - By checking this option, "SignTool.exe" will use the best certificate from the system certificates store to sign the files.

NoteTo view or manage certificates inside the system store, you can use use certmgr.msc tool (Press Windows Key + R, type "certmgr.msc" and press enter).

Use file from disk

When this option is selected, the certificate used to sign the files is loaded from a local disk file. You will be requested to specify the path of the certificate from the hard disk each time you pick this option.

NoteAdvanced Installer supports both Personal Information Exchange PKCS #12 (.pfx) and X509 (.cer) certificates.The .pfx certificates contain both the public and private keys. The .cer certificates contain only the public key, the private key being stored onto an USB eToken (protected by password).

Certificate - The path to the certificate on disk is provided in this field. You can choose a certificate from your hard drive by pressing the [ ... ] button in the same field.

NotePFX certificates are recommended, you can use either pvkimprt or pvk2pfx to create a PFX certificate from the SPC and PVK files. If the PFX file is protected with a password, the “Selected certificate requires a password. Select how to transmit it to signing tool:” section will be visible.

  • pvk2pfx is available as part of the Platform SDK.

Private Key - The “Private Key”. You can choose one from your hard drive by pressing the [ ... ] button. Due to the lack of a distinct private key file in PFX certificates, this field is hidden by default.

Enter a password each time project is built - You will be prompted to enter the password when the AppX package is built.

NoteBecause Advanced Installer remembers the password for PFX files, you will only be asked for it once.

Store encrypted password in the project file - The encrypted password will be retained in the project and used to sign the installation files throughout the build process. This is a valuable option for unattended builds.

Password - The password for the PFX certificate.

Confirm password - Confirm the PFX certificate password.

Use from Azure Key Vault

Please visit this article in order to have a better understanding of this functionality: Azure Key Vault basic concepts.

ImportantSigning using a certificate from Azure Key Vault only works on Windows 10.

Tenant ID

The Azure active directory where Key Vault resides. This field is mandatory!

App ID

The Azure application's identifier that has access to the Key Vault. This field is required!

Vault Name

The name of the Key Vault. This field is mandatory!

Certificate Name

The name of the certificate stored in the Key Vault. This is a mandatory field!

Certificate Version

Multiple versions of a certificate can be kept in a Key Vault. A version is identified by the string contained in this field.

NoteWhen this field is empty, Azure Key Vault signs with the latest certificate version.

Client Secret

When a file is signed, the user will be prompted to enter the Client secret associated with the application identified with ID - App ID. The Client secret is not stored in the project file.

Using command line

When using Advanced Installer from command line, you can set the Client secret using the following command: SetAzureKeyVaultSecret

ImportantDue to the fact that the Client secret is not stored in the project file, SetAzureKeyVaultSecret command can be used only from a .AIC command file.

For increased security, the Client secret can be stored in an Environment variable using -secret_is_env_var_name switch. With this switch, the command will interpret that the name entered as a parameter is an environment variable.

Use Device Guard for signing

ImportantDevice Guard signing only works on Windows 10.

You'll need an Azure account setup for Device Guard signing in order to sign a package with Device Guard. See this article if you need to learn more about the setup: Sign an MSIX package with Device Guard signing

NoteThe Publisher ID from Package Information Page must adhere to the following format: CN=account_name.onmicrosoft.com

Using command line

You can set Device Guard sign account name and password using the following command: SetMsActiveDirectoryCredentials.

ImportantSetMsActiveDirectoryCredentials command can only be used from a .AIC command file due to the fact that the password is not saved in the project or the registry.

Example of a command file
SetMsActiveDirectoryCredentials -username user_name -password account_password [-password_is_env_var_name]
build -buildslist Build_MSIX_APPX -force

NoteAlternatively, you can use the optional command line parameter [-password_is_env_var_name] to provide an environment variable where the password is saved instead of the actual password.

Caution!Signing a file using Device Guard may result in an error indicating that the timestamp cannot be applied if the account is not correctly configured for Device Guard signing.

Signature Properties

Signature properties are required to display the exact AppX package name on the UAC prompt.

Description

This field contains the signed content's description. It will be shown by the Windows UAC after you click the "Install" button.

Description URL

This field includes a link to a page that offers a detailed explanation of the signed content. The URL will be used in the "Open File - Security Warning" box when the package is opened from an untrusted place (for example, the network), where the "Name" field will become a link to the URL you supplied.

Timestamp service URL

A digital certificate has a validity period. After that time period has expired, the signed code is no longer considered certified. To avoid this, a Time Stamp can be added at the signing moment, indicating that the certificate was valid at the time of the signing.

The “Time Stamp URL” specifies the URL of the time stamp server. This URL points to a DLL located on a server that is used for this purpose. An example of such a server is:
https://sectigo.com/resource-library/time-stamping-server.

NoteSigning AppX packages is supported only on Windows 8 or later OS.

Timestamp delay (ms)

This parameter allows you to set the number of milliseconds that Advanced Installer should wait between two consecutive signing procedures.