Signing MSIX Packages by Flexera

Jan 30, 2023 | Bob Kelly | 0 |

MSIX packages must be digitally signed for successful installation on endpoints. Unlike standard packages, this is a new and mandatory requirement for MSIX packages. While this might be one additional step in your application packaging process, signing makes MSIX safe and secure.

Why sign MSIX packages?

Signing adds integrity and trust to your package, hence enhancing the overall security of the package.

When the content of an MSIX package is extracted, among various other files and folders, you will see two essential files – AppxBlockMap.xml and Appxsignature.p7x. AppxBlockMap.xml is created while building an MSIX package. This file contains the list of all the application’s files and their cryptographic hashes for each data block. The Appxsignature.p7x file is added to the package during the signing and contains the signature information. Windows verifies the information in these files to validate the integrity of the package and its content during installation. If the content of the package is tampered with, then Windows will block the application from launching. This ensures no opportunity for an attacker to add malicious files to your package, so it is sure to contain only intended files placed there by the vendor or administrator that built it.

MSIX packages must be signed with a code-signing digital certificate with time stamping obtained from a publicly registered Certificate Authority (CA); only such will be considered trusted certificates. Microsoft updates the list of registered Certificate Authorities in the Windows OS; therefore, any package signed using a trusted certificate will be automatically trusted by the OS to install successfully. While signing an MSIX package, the Publisher name of the package in the AppxManifest.xml file must match the Subject information of the digital certificate used to sign the package. If there is a mismatch, the signing will fail. This mandatory requirement ensures that the package always comes from a source who claims to be the proper source. An attacker can inject a malicious file into a package and successfully build MSIX, breaking the signature from the actual source. Although trusted certificates are susceptible assets, there is no way an attacker can get access to the trusted certificate from the actual authority to sign the package again. A tampered package will either have a broken or a false signature, making it easy for Windows OS to identify and flag such packages as untrusted, thus keeping your devices safe.

What are the different methods one can use to sign MSIX packages?

Here are a few different ways of signing an MSIX package:

Digital Certificate File (.pfx): A code-signing trusted certificate, or a self-signed certificate, which contains both public and private keys, can be used to sign an MSIX package. This will also require a certificate password. It is strongly recommended to use time stamping while signing a package. Time stamping ensures the package installation does not fail even if the certificate is expired by assuring the Windows OS that the certificate was valid when the package was signed.

Certificate Store: MSIX packages can be signed using a certificate installed in the certificate store of a machine. While installing a certificate (.pfx), the device will prompt for the certificate password, so you will not again need a certificate (.pfx) and the password during the signing. Instead, you need to point to the certificate installed from the certificate store. Certificates could be installed on a device using a GPO or other mechanism. This method will be most appropriate when the preference is not to directly share the certificate file (.pfx) and password to avoid falling into the wrong hands, thus making it a more secure process.

Device Guard Signing: Device Guard Signing is a feature available in Microsoft Store for business. This method requires an Azure account and a Device Guard signer role in Microsoft Store for Business/Education.

Azure Key Vault: Azure Key Vault is one of the services in Azure to store sensitive data like connection strings etc. Azure Key Vault can also store digital certificates. Signing using Azure Key Vault requires the following prerequisites:

An Azure account
Creating/importing a certificate into Azure Key Vault
Registering a new application in Azure and obtaining ‘Application (client) ID’ and ‘Client Secret.’
Installing AzureSignTool through .Net Core CLI. The latest version of .Net Core SDK should be installed on the machine to use .Net Core CLI to install AzureSignTool

This article was recommended by Bob Kelly and written by his colleague with the handle kmantagi (Flexera)

Event Details

DELIVERY APPROACH: 5 day remotely delivered instructor-led live class

The InstallShield, MSI Projects course provides you with a solid understanding of installation terminology, the tasks an installation program needs to perform, and the InstallShield development environment.

In this course, you will learn how to customize your installation with custom actions in order to make changes to your end users’ systems. You will also see how to correctly identify, install, and configure special types of files (e.g., COM servers, Windows services, and .NET assemblies). Finally, you will understand how to perform simple to sophisticated changes to your installation’s user interface.

This course teaches you how to create Basic MSI projects, which use the Windows Installer service (MSI) for the installation’s behavior and appearance. This course does not cover InstallScript MSI projects.

COURSE OBJECTIVES

In this class you will learn how to:

Create and organize an installation project
Install files and create shortcuts
Install and configure special types of files and data, such as registry and INI data, COM servers, Windows services, and .NET assemblies
Work with MSI sequences and custom actions
Customize your installer’s user interface
Package your installer for Windows Vista, Windows 7, and later
Use the Automation interface to modify your project outside the graphical environment

COURSE PREREQUISITES

Previous InstallShield experience is not required; however, you should be comfortable with the following:

Using Windows Explorer and the command prompt to create and manage files, and run executables
Basic Windows terminology (e.g. DLL, Control Panel, etc.)

Later sections of the course assume familiarity with programming or scripting languages such as VBScript, C or C++, and C#.

Time

15 (Monday) 9:00 am - 19 (Friday) 4:30 pm(GMT-05:00) View in my time

Location

Online

Register Here!

Calendar GoogleCal

Organizer

T-Lux Group

TLUX was founded in 2014 and since then has been leveraging over 25 years experience in the Application Packaging, Installation Authoring and End-User Computing/Desktop Deployment space. Operating out of two bases in London and Ulm, Germany – we are the global certified Professional Services provider for Flexera and Revenera as well as having a global partner network throughout EMEA, the USA and APAC – bringing our world class consulting and training offerings to clients of all shapes, sizes and industries. We have a wide range of services offerings from training and bespoke workshops, through to complete AdminStudio implementations and integrations, an Application Packaging ‘Factory’ capability as well as helping manage and maintain the installation strategies, builds and deployment configurations for many organisations. Letting them get on with their core business.

124 City Road, London, EC1V 2NX, United Kingdom

22apr(apr 22)9:00 am26(apr 26)4:30 pmEMEA: Application Packaging with AdminStudio 2023

Event Details

DELIVERY APPROACH: 5 day remotely delivered instructor-led live class

The AdminStudio application packaging training course will teach you to use AdminStudio to repackage traditional setups into Windows Installer packages and customize those packages to meet specific needs. Learn application packaging best practices and much more.

In this application packaging training course, you will also gain experience in creating transforms for existing third-party MSI packages and improving package quality through identifying and resolving conflicts between packages, validation and automated tests before deploying your applications.

COURSE OBJECTIVES

In this class you will learn:

How to prepare your development systems, test systems and documentation for the application-migration process
How to use AdminStudio’s Repackager to convert traditional setups to Windows Installer setups and virtual applications
How to enhance and customize repackaged setups using the InstallShield Editor and to correct validation errors
How to use AdminStudio’s Test Center to identify and resolve potential issues using automated test cases and Best Practices.
How to use AdminStudio’s Tuner to customize the installation of existing Windows Installer setups——to meet your company-specific requirements
How to convert MSI packages to virtual packages

COURSE PREREQUISITES

Previous AdminStudio experience is not required; however, you should be comfortable with the following:

Using Windows Explorer and the command prompt to create and manage files and run executables
Basic Windows terminology (e.g. DLL, Control Panel, etc.)

COURSE CURRICULUM

The following course sections and topics will be covered in the class. If you have a specific area that you think might need extra attention, mention it to your instructor on the first day of application packaging training.

Time

22 (Monday) 9:00 am - 26 (Friday) 4:30 pm(GMT+00:00) View in my time

Location

Online

Register Here!

Calendar GoogleCal

Organizer

T-Lux Group

124 City Road, London, EC1V 2NX, United Kingdom

may 2024

13may(may 13)9:00 am17(may 17)5:00 pmIT Pro Masters Packaging for MSIXMasters Level

Event Details

TMurgent is bringing Tim Mangan and his world-renowned training back to The Netherlands, and now we focus exclusively on Packaging for MSIX.

The Masters Packaging for MSIX class will be run by TMurgent. This 4-day class is designed to accommodate students that are new to packaging, new to MSIX, and especially those with significant prior experience.

We will provide you with both theory and practical hands-on experience in our training lab. We will cover the commonly used tooling from Microsoft, our own tools, and a few others as well.

We recommend the in-person classroom experience, however remote students are accepted in this class also.

NOTE: YOU MUST REQUEST REMOTE AT LEAST 30 DAYS PRIOR TO START OF CLASS!

Prerequisites:

The course is designed for people with a general background in IT and/or Packaging. We take students with or without prior experience in MSIX. Although Software Developers are not targeted for this course, and we will not be covering developer material, Developers are welcome.

There are no hard pre-requisites to be able to take the class, however, the following are helpful:

Knowledge and experience with general Microsoft Windows Administration.
Experience with other “packaging” techniques helpful.
Experience with Application Deployment.
Help Desk Experience.

The training site will provide desktop Computers to access the Labs. You are welcome to bring your own VMs, on your laptop or back in your office via VPN, but we do provide all of the VMs you need. Remote students will provide their own VMs based on information we provide after registration.

Syllabus

IT Pro Masters Packaging for MSIX

A 4-day (in-person) or 8 half-days (when remote) hands-on class where you will learn the concepts, techniques, and latest tricks to be successful and packaging and configuring applications for delivery within the Enterprise using Microsoft MSIX.

Whether you use modern or traditional application delivery methods, the applications your company depends on must be customized, and in many cases remediated to work in today’s desktops. MSIX is the future for new applications, and while not all traditional applications will work in the MSIX container, this class will give you the ability to get the most application compatibility possible today.

Syllabus

1. Concepts of Packaging

Principals and rules of Packaging
Filter Drivers, Function hooking, and Dll Injection
MSIX technology overview
Principals of Redirection and Copy-on-Write
Anatomy of an installer package and the Windows API

2. Overview of Delivery Options

Including Configuration Manager, Intune, App Attach, PowerShell, and 3rd Party Managers.

3. Fundamentals of the MSIX Package Format and Runtime

4. Setting up VMs for Packaging and Testing

Setting up a MSIX Capture Station
Setting up a “Smoke Test” Station

5. Packaging with App-V and MSIX

Hands-on Labs covering Best Practices, VFS techniques, Modification Packages, Plug-Ins, AppInstaller updates, Shared Package Containers, the PSF Fixes, and package scripts.
PowerShell for MSIX
Using MSX Packaging Tool
The 7 fixups available from the PSF
Using PsfTooling
Using TMEditX
Using other Third-party tools for MSIX
Automation
MSIX App Attach, VHD/X and CIM

6. Debugging Techniques for MSIX and apps in general

7. Conversion from App-V to MSIX

Time

13 (Monday) 9:00 am - 17 (Friday) 5:00 pm(GMT+02:00) View in my time

Location

PDS Training Center

Parallelweg Oost 13a, Culemborg

Register Here!

Calendar GoogleCal

Organizer

Professional Development Systems b.v.

Parallelweg Oost 13a 4103 NC Culemborg

june 2024

03jun(jun 3)1:00 pm13(jun 13)5:00 pmIT Pro Masters Packaging for MSIX

Event Details

TMurgent is continuing our world renowned MSIX training with remote learning. Since the pandemic started, we have heard from some customers that they need the training but just still can’t, or don’t want to, travel.

This class is widely considered to be the ultimate place to learn about MSIX Packaging, and will be delivered remotely, allowing you to train from work or home without travel.

Book With Confidence / No Cancelation Policy: Whenever a single student is registered and confirmed for a class, we will not cancel the class. Period.

The Masters Level MSIX Packaging class will be run by TMurgent. This 8-day class (4 hours/day) will provide you with both theory and practical hands-on experience in our training lab. This class is both for those who are new to MSIX, and those with prior experience already.

The class will be held online at a time optimally convenient to Europeans and Americans.

Note: The class is an 8-day class for 4 hours each day.

Prerequisites:

The course is designed for people with a general background in IT and/or Packaging. We take students with or without prior experience in App-V.

There are no hard pre-requisites to be able to take the class, however, the following are helpful:

Knowledge and experience with general Microsoft Server Administration.
Knowledge and experience with SQL Server Administration.
Experience with other “packaging” techniques helpful.
Experience with App-V Administration and Sequencing.

Remote students (only) will be required to build your own VMs at your site prior to the start of the class:

Each student will require two Windows VMs.
Our pre-class prep kit will provide detailed written instructions, a video introduction to building the VMs, and installers for the tools needed.
Any type of hypervisor may be used, but the student must have access to create and revert to “snapshots”.
You will need additional storage on a share for the application installers and created packages.
It is highly recommended that students have two monitors, microphone, video camera, and earphones.

In-person students (when available) need to bring a laptop with wireless lan to tap into lab equipment provided.

Syllabus

IT Pro Masters Packaging for MSIX

Syllabus

1. Concepts of Packaging

Principals and rules of Packaging
Filter Drivers, Function hooking, and Dll Injection
MSIX technology overview
Principals of Redirection and Copy-on-Write
Anatomy of an installer package and the Windows API

2. Overview of Delivery Options

Including Configuration Manager, Intune, App Attach, PowerShell, and 3rd Party Managers.

3. Fundamentals of the MSIX Package Format and Runtime

4. Setting up VMs for Packaging and Testing

Setting up a MSIX Capture Station
Setting up a “Smoke Test” Station

5. Packaging with App-V and MSIX

Hands-on Labs covering Best Practices, VFS techniques, Modification Packages, Plug-Ins, AppInstaller updates, Shared Package Containers, the PSF Fixes, and package scripts.
PowerShell for MSIX
Using MSX Packaging Tool
The 7 fixups available from the PSF
Using PsfTooling
Using TMEditX
Using other Third-party tools for MSIX
Automation
MSIX App Attach, VHD/X and CIM

6. Debugging Techniques for MSIX and apps in general

7. Conversion from App-V to MSIX

Time

3 (Monday) 1:00 pm - 13 (Thursday) 5:00 pm(GMT+02:00) View in my time

Location

https://expert-class.ch/

Register Here!

Calendar GoogleCal

Organizer

https://expert-class.ch/

10jun(jun 10)9:00 am14(jun 14)4:30 pmEMEA: Learning MSI Projects with InstallShield 2023

Event Details

DELIVERY APPROACH: 5 day remotely delivered instructor-led live class

COURSE OBJECTIVES

In this class you will learn how to:

Create and organize an installation project
Install files and create shortcuts
Install and configure special types of files and data, such as registry and INI data, COM servers, Windows services, and .NET assemblies
Work with MSI sequences and custom actions
Customize your installer’s user interface
Package your installer for Windows Vista, Windows 7, and later
Use the Automation interface to modify your project outside the graphical environment

COURSE PREREQUISITES

Previous InstallShield experience is not required; however, you should be comfortable with the following:

Using Windows Explorer and the command prompt to create and manage files, and run executables
Basic Windows terminology (e.g. DLL, Control Panel, etc.)

Later sections of the course assume familiarity with programming or scripting languages such as VBScript, C or C++, and C#.

Time

10 (Monday) 9:00 am - 14 (Friday) 4:30 pm(GMT+00:00) View in my time

Location

Online

Register Here!

Calendar GoogleCal

Organizer

T-Lux Group

124 City Road, London, EC1V 2NX, United Kingdom

24jun(jun 24)9:00 am28(jun 28)4:30 pmUSA: Application Packaging with AdminStudio 2023

Event Details

DELIVERY APPROACH: 5 day remotely delivered instructor-led live class

COURSE OBJECTIVES

In this class you will learn:

How to prepare your development systems, test systems and documentation for the application-migration process
How to use AdminStudio’s Repackager to convert traditional setups to Windows Installer setups and virtual applications
How to enhance and customize repackaged setups using the InstallShield Editor and to correct validation errors
How to use AdminStudio’s Test Center to identify and resolve potential issues using automated test cases and Best Practices.
How to use AdminStudio’s Tuner to customize the installation of existing Windows Installer setups——to meet your company-specific requirements
How to convert MSI packages to virtual packages

COURSE PREREQUISITES

Previous AdminStudio experience is not required; however, you should be comfortable with the following:

Using Windows Explorer and the command prompt to create and manage files and run executables
Basic Windows terminology (e.g. DLL, Control Panel, etc.)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Signing MSIX Packages by Flexera

Related Posts

Leave a reply Cancel reply

Free Download

Recent App Tips

Recent Comments

Upcoming Events

Event Details

Event Details

Covered Topics

Time

Location

Organizer

Event Details

Event Details

Time

Location

Organizer

Upcoming Courses

Event Details

Event Details

DELIVERY APPROACH: 5 day remotely delivered instructor-led live class

COURSE OBJECTIVES

COURSE PREREQUISITES

Time

Location

Register Here!

Organizer

Event Details

Event Details

DELIVERY APPROACH: 5 day remotely delivered instructor-led live class

COURSE OBJECTIVES

COURSE PREREQUISITES

COURSE CURRICULUM

Time

Location

Register Here!

Organizer

Event Details

Event Details

Prerequisites:

Syllabus

Time

Location

Register Here!

Organizer

Event Details

Event Details

Prerequisites:

Syllabus

Time

Location

Register Here!

Organizer

Event Details

Event Details

DELIVERY APPROACH: 5 day remotely delivered instructor-led live class

COURSE OBJECTIVES

COURSE PREREQUISITES

Time

Location

Register Here!

Organizer

Event Details

Event Details

DELIVERY APPROACH: 5 day remotely delivered instructor-led live class

COURSE OBJECTIVES

COURSE PREREQUISITES

COURSE CURRICULUM

Time

Location

Register Here!

Organizer