Windows codesigning?

I’ve been paying for EV codesigning certificates for some years. Prices have gone up substantially this year. Do we still really need this? Is the Windows Store a viable distribution option now (apps there are signed by the Store, as I understand it)? This issue is not Xojo-specific, of course, and if anyone knows an online forum where this question might be more appropriate, please let me know.
Thanks in advance.

Well, it’s nice to know that at least Google’s search engine read my previous post. I searched today for a similar question without reference to Xojo, and my question on this Xojo forum was in the top 30 results.

I’ll try a different spin: if I create win32 apps in Xojo and distribute via the Microsoft Store, do I need a separate codesigning certificate? Is anyone doing this NOW …in 2023? Are there any issues with Xojo apps in the MS Store?

Thanks in advance.

This piqued my interest. Im not using WIndows Store (sorry… I know its awful when you want to hear from someone who does x and then you get a response that says ‘doesnt affect me’)
But I was curious about MSIX

As far as I can tell, if you sign up to the Windows Store, and get the MSIX packager, then it is all done for you.
Which is significant, since all other methods I found for MSIX (Advanced installer, for example), are happy to tell you how easy they make it, right until you reach the small print where it costs serious money
A landing screen describes it as

Free Windows Installer
Building MSI installers for 20+ years.
Unmatched support for MSIX technology.

However the basic edition is $499, and the easy-peasy repackager which takes your existing installer and makes it into a MSIX, is a very reasonable (!) $3599

So if it is possible through the Windows Store, thats a significant saving.

One free one here:

(no idea how good or bad it is or if it is suitable for Xojo applications or not but its open source)

TLDR; As far as your app with installer gets certified as ok, safe, properly done… Microsoft will codesign it for you using the store certificate.

But… all MSIX package submitted must be signed. I don’t know if the store will accept self signed ones but people use it all the time to create MSIX packages for local tests.

And you don’t need Advanced Installer, Inno Setup (free) suffices.

MSIX hero uses either the certificates that the OP is concerned about, or self-signed certs which are fine for you own machine, but not for general distribution.

The question here is ‘can we ship via Windows Store WITHOUT buying a certificate in our own names at extortionate rates’

ie: if we choose not to buy a new certificate, will selling via the Windows Store handle it for us?

I would think you always need certificate in the end if going in the store.

(I may be wrong but, I think the chances you need real certificate there is very high)

:point_down:t2:

Whatever certificate you used will be removed and MS will use theirs.

Where to start? With a Dev Partner Account: https://partner.microsoft.com/dashboard/apps-and-games/overview

BTW, why Xojo isn’t there?

BTW, To create your MSIX App installer, you will need the MSIX Packaging Tool, the MSIX Hero is a Swiss Knife with tools, used for example, to the easy creation and import of a Self-signed Certificate or using other certificate options, and manipulation of already done MSIX packages. I have a MS partner account. I’ll try to find some time tomorrow to try to see if a self-signed cert works for submission and see if troubles will arise.

1 Like

So I tried this (intrigued by this thread)

No certificate is needed, MS will sign it as Rick said when submitting to the store.

You can self sign just to be able to test the MSIX installer and then submit the self signed one. (Submitting with no signature is ok also but then you cannot test it your self before)

Knowing little to nothing, then the whole process was easy. From the time of creating the MSIX and through the process of submitting to the App store (Its in review now).

I had Inno setup install for my App previously and I just ran MSIX Packaging tool and had it listen to what happened when I installed with the Innosetup Installer. And then MSIX installer was done.

Then I self signed the MSIX package with the MSIX Hero, just to be able to test the installer.

After that it were just steps in the MS Store to fulfill.

(Note I had to buy one time Developer store account in the MS Store, it was somewhere close to $20 (hard to have the exact amount since it was displayed in my currency).

One oddity when packaging legacy app like this is you get warning on “runFullTrust” and will need to explain why your application needs to use that. And it took me a while to figure out why my App had this and how to explain it in the review.

When packaged like that then you put in as explanation:
Application has been packaged with the Desktop Bridge

8 Likes

Seems that those are key steps for Xojo Apps submission.

So, I don’t need further tests.

When using a certificate, be sure your certificate data match with your account data.

I also saw people using selfsigned certificates with no password (noticed because I’ve saw it in the name of certificate that was used, but the dev did not mention anything (selfsigned_certificate_nopass.pfx) when creating submissions, not sure if it makes something easier for the MS inspector of your package, but kind of makes sense.

Visual Studio needs a manifest with data found in the page “Product Identity” from your app reservation, so I don’t know how if this step will be simply ignored due to “packaged with the Desktop Bridge”

Also, that manifest file could contain declarations of capabilities, dependencies, etc. I believe you can fix it using MSIX Hero using drag and drop if needed.

Let’s wait for Björn final results.

Thank you, Björn.

very cool of you to document the process. waiting for updates :smiley:

Thank you, Björn Eiríksson, for investigating this! That’s all very useful. Do you presently codesign your Windows apps? Last year, an “EV codesigning certificate” cost about $320, shipping and USB key included, which I could justify, just barely. This year resellers seem to be asking about $420 with a $90 surcharge for shipping and USB key. I see little benefit at that price.

As I see it my options are:

  • Use the Windows Store if there are no major issues,
  • Stop Windows development altogether and focus on Mac+iOS via Flutter and drop Xojo, too,
  • Find a much lower price Windows codesigning option.

N.B.: to the developers/owners of Xojo, these app distribution costs drive away your customers, too.

1 Like

As I said. Those costs goes away with MSIX. A sole dev account with MS is like $20, one time only.

What we are now investigating is the best way of packing a Xojo app and its resources in a MSIX install in a way it gets approved at the first try.

I have the impression that Björn’s install still may get some refusal needing some adjusts in the manifest if the guy inspecting his submission do not intervene and make changes on his behalf.

Let’s see. I hope it will not be long.

No, I gave up trying to get Windows certificate…

The Soviet Era Sectico did not understand how anything works in Iceland.

“No no no you must have address on your passport”

---- But we have unique person identifier which links to on line lookup for address, “No matter, it must be in the passport”

Was endless like that they just do not have a clue how things work here in Iceland or in other places that have gone far in electronic signatures. if they were up to date in tech they could have verified me in 2 min but instead they could not verify me at all.

2 Likes

Heh. Yeah, I’m familiar with the annual nightmare of Sectigo. I’m amazed that they are not better equipped to deal with Iceland. It’s not as if this is some Shangri-La that has only recently discovered technology.

Here where I live in Rhode Island, USA, we are the opposite end of the spectrum in terms of ID tech, but it’s all still outside the comprehension of the human robots working for Sectigo. For example, here they want proof of my trade name (registered business name). Every year they complain that they cannot find it online in the “state database”, nor can they find it in the county database for my location. That’s because business name registration for sole proprietor businesses is handled exclusively by town clerks here in RI. As for not finding my business in the “county database”, that’s an annual amusement since county government ceased to exist in the mid-19th century in this very small state. What jurisdictions do they actually do right?

But who do we blame for this insanity? Microsoft? They’ve been trying to shut down small developers for years. The Microsoft Store was formerly a mess, but it seems to have improved significantly. It also seems less onerous and coercive.

How do you distribute your own Windows apps (if any are for public consumption)?

Thanks again, and please let us know if your app is approved for the Store.

I have always just distributed without any signing. (Never actually had any complaint on it).

But I guess those that do not know anything about me might be more afraid when getting unsigned.

Yes I will post the progress of the MS store submission, it is after all experiment :slight_smile:

Björn

2 Likes

I fixed a manifest yesterday, also removed useless files from a bad the package with lots of useless content captured during the tool observing changes during the install process. I did it just right clicking the MSIX file and choosing “Edit with MSIX Packaging Tool”. MSIX Packaging Tool (MPT) → “Package Information” → “Manifest file” → “Open File”; MPT-> “Package files” (right-click on garbage, delete). Warning, be sure you are not deleting something really used by the install in any way.

I’ve learned that my machine is incredibly “noisy” to build such installs. That collected garbage into the MSIX. Now I know why the MSIX inspection can take some time, probably someone will verify many things and do SOME clean up of your contents at the end if approved. No one can make a better clean up than you.

The solution is building a VM with a very clean Windows 11 with just the MSIX tooling installed, lots of services disabled including Windows Update, Anti-virus, Windows Search, etc. Many can be disabled using MSIX Hero (MH) at MH → System → “Repacking on this machine” option, recommendations will be shown, services can be shown from there too. Also, MH → System → “Automatic updates of store apps” → “Automatic download always disabled”. Once your VM packaging environment is ready, take a snapshot to make easy to return everything to the “clean state” when you finish.

So…

Here is what I got from the review:

It says:
10.1.1.11 Inaccurate Representation - Icon

Your product must have a united central purpose. An additional installed component visible in the Start Menu does not relate sufficiently to the main product.


Product I was trying to get there is my Registrator Decoder application (to decode the plugins)…

hmmm am not 100% sure what they want me to improve regarding the Icon…

image

Maybe its the uninstall icon their complaining about…