Skip to content

Creating UWP App Package

Creating Certificate

A valid certificate is required for the following two reasons:

  1. The UWP app package needs to be signed with a valid certificate
  2. The UWP app can be installed only on the machines that have the corresponding certificate.

To create a certificate for an app, do the followings:

  1. Locate the package manifest file AppxManifest.xml of the app.

  2. Open AppxManifest.xml to find the "Publisher" property under the "Identity" element.

    • It should look like the following:

      <Identity Name="Some-GUID-String" Publisher="Some_Publisher_ID_String" Version="1.2.3.4" />

  3. Open an elevated PowerShell command window and run the following command:

    # The "-Subject" parameter needs to match the "Publisher" property found in the app
New-SelfSignedCertificate -Type Custom -Subject "Some_Publisher_ID_String" -KeyUsage DigitalSignature -FriendlyName "SomeNameForMyApp" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")

  4. If the command succeeds, it should return a "thumbprint" string of the created certificate. Save this thumbprint string for later use.

  5. Export the certificate to a .pfx file using the following command in the elevated PowerShell window:
# Replace <Certificate_Thumbprint> with the thumbprint obtained in the previous step
Export-PfxCertificate -cert Cert:\CurrentUser\My\<Certificate_Thumbprint> -FilePath My_Certificate.pfx -ProtectTo $env:UserName

Using Password Instead of Username

The instruction here uses -ProtectTo to create a certificate that works for the current user. If the certificate needs to be installed by another user (e.g. you create the app package to let someone else to test the app), then the -Password option should be used instead of -ProtectTo.

See https://learn.microsoft.com/en-us/windows/msix/package/create-certificate-package-signing for more details.

Creating UWP App Package

Given the following:

  1. <path\to\app\binary>: A folder that contains all the binaries for the app, including a valid package manifest file AppxManifest.xml
  2. <my_app>.msix: The name of the output package
  3. <HashAlgo>: The selected hash algorithm for packaging the app. Default is SHA256

Do the following to create the app package:

  1. Locate the makeappx.exe

    • makeappx.exe is part of the Windows dev kits, usually installed under the location like C:\Program Files (x86)\Windows Kits\10\bin\<Version_Number>\<Architect>\makeappx.exe. For example:

      c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\makeappx.exe

  2. Run the following command to create the app package

    makeappx.exe pack -h <HashAlgo> -d <path\to\app\binary> -p <my_app>.msix

  3. If succeeded, a package named <my_app>.msix should be created.

See https://learn.microsoft.com/en-us/windows/msix/package/packaging-uwp-apps for more details.

Windows will not allow user to install this package yet. To allow a user to install this package, 3 more things need to be done:

  1. Sign the app package with a certificate
  2. On the target machine, enable the "developer mode" in Settings
  3. On the target machine, install the certificate under "Trusted People" store.

Enabling Developer Mode

To enable the "developer mode" option in Windows, do the following:

  1. Open Settings app.
  2. Go to "Privacy & security" --> "For developers"
  3. Toggle on the "Developer Mode" option.

Signing the App Package

To sign the app package, do the followings:

  1. Locate the SignTool.exe
    • SignTool.exe is part of the Windows dev kits, usually installed under the same location as makeappx.exe

  2. Run the following command to sign the app package:

    SignTool sign -fd <HashAlgo> -a -f <my_certificate>.pfx  <my_app>.msix

See https://learn.microsoft.com/en-us/windows/msix/package/sign-app-package-using-signtool

Installing Certificate

Windows does not allow user to install private app unless

  1. The developer mode is enabled.
  2. The certificate for the app is installed under appropriate store such as "Trusted People"

The steps to enable the developer mode has been documented in the above section. To install the certificate, do the following:

  1. Copy the created certificate to the target machine
  2. In the file explorer, double click the certificate file. A dialog will pop up asking user to choose the "Store Location." Choose the "Local Machine" option.
  3. In the next step, the dialog window will ask user to confirm the location of the certificate. Just click "Next" as the location of the certificate has been pre-filled.
  4. In the next step, the dialog window will ask user to specify the password and import options. Keep them as default as click "Next".
  5. In the next step, the dialog window will ask user how to choose the Store location. Select "Place all certificates in the following store", click "Browse..." button, and choose "Trusted People" store. Click Next.
  6. Review the confirmation information, then click "Finish" to install the certificate.

See https://www.youtube.com/watch?v=s40bCNnFUgg for more information

Installing the App Package

User should be able to install the app package on a target machine if:

  • The package has been signed with a certificate
  • The said certificate has been installed on the target machine
  • The "developer mode" is enabled on the target machine.

To install the package, simply double click the package file in the file explorer.