1

Take a look at the attached image. This is a appx that is signed by Microsoft. The signature is timestamped. But, it's now an "Untrusted App."

Just had this happen to my software. I can't resign old application packages (Appx, MSIX, Appxbundle, or MSIXBundle) with my new certificate.

From a business standpoint, this is horrible.

Is there a way to sign an Appx bundle or MSIX bundle without it being listed as untrusted in the future?

Edit:

Honestly, I'm not sure if this is just my systems. I hope it's just my network, or something. But, I'd like to figure this out. Seems very important.

Some updates:

  1. Didn't find anything of value in the Event Log.
  2. I'm hoping my system is torn, because if this is the new normal, this is bad for business.
  3. Here's the Microsoft signed and timestamped Appx. If someone else could verify if this is Trusted, Untrusted, or "Trusted Microsoft Store App," please post here.

I guess the questions are:

  • Do signed and timestamped Appx/MSIX packages become "untrusted" after the certificate expires?
  • If not, what's causing it on my system?
  • If so, what is a "Trusted Microsoft Store App," and is it immune to this effect?
  • Also, if so, why? What are we trusting anyway? Does authenicode work or not? What authority, and by what mechanism, does trust derive?

Cheers!

drake wants the appx cheat codes

Signed by Microsoft, timestamped, but no longer trusted?

Michael T
  • 1,367
  • 2
  • 16
  • 27
  • 1
    You could sign your package using the sign tool. You could check:[Sign an app package using SignTool](https://learn.microsoft.com/en-us/windows/msix/package/sign-app-package-using-signtool) – Roy Li - MSFT Aug 13 '20 at 08:26
  • 1
    Can you check the Event View logs (AppX logs)? Maybe it can give us more details about why it flags the app as untrusted? It seems kind of strange to do so just because the certificate expired since we have a timestamp. Also, you can take this question down to the MSIX MS community, maybe they know more about it... https://techcommunity.microsoft.com/t5/msix/ct-p/MSIX – Bogdan Mitrache Aug 13 '20 at 17:44
  • Yeah, it happened to my personal app that I sell online, sideload. Also sell in MS Store, but that’s fine. Edit: on phone now... that C+* 14 Appx I got from stock Win10 dev kit a few months ago. Figured I should check it, because I link to it from my site. Anyway, I noticed that newer version of same Appx is listed as a Microsoft Store App or something. There’s gotta be a difference there. Anyway, this cost me a good bit of coin, and just want to know the new rules. But, yeah, happened the minute the cert expired. Not sure what to look for in logs or event viewer. Thanks and cheers! – Michael T Aug 13 '20 at 19:37
  • Also, to Roy, I did use signtool to sign the app. That’s how I got the timestamp. By default, VS doesn’t timestamp. Guess we know why now. But, to make matters worse, I can only sign my Appx packages with the cert they were compiled with. Maybe there’s a way around this if I learn to unpack Appx and repack them. As it is, my past two years of releases are unusable for my customers. I bundled some customers custom installs; waiting to hear back from them :( – Michael T Aug 13 '20 at 19:49
  • 1
    Did you use "lifetime signing" when signing the package? That is a flag used for testing that invalidates the signature when the certificate expires. – Peter Torr - MSFT Aug 14 '20 at 00:15
  • Hi Peter, no. There's nothing wrong with the signature or the certificate or the method. Eventhough it says it's an "untrusted app," it still verifies the origin of the application. It's saying, 100%, without a doubt, what company signed the Appx/MSIX. It says, "the digital signature is OK." But, it's labeling it as untrusted. Download and test my MS example. It's signed by MS. Don't have to install it to get that screen. Older versions of Win10 don't display that image. My legacy MSI installers are still trusted, must like the MS Visual C++.exe installers from years ago. Cheers! – Michael T Aug 14 '20 at 01:33
  • 1
    I checked here - I get the same "Untrusted app" error even though the signature appears to be valid. I'll see if anyone has ideas. – Peter Torr - MSFT Aug 14 '20 at 23:07
  • 1
    (The difference between "Trusted app" and "Trusted MS Store app" is whether the signature comes from the MS Store or a 3rd-party trusted root. The difference should only matter if you turn on "Store only" apps in Settings). – Peter Torr - MSFT Aug 14 '20 at 23:13

1 Answers1

1

This is a known bug in the AppInstaller UX; the file is correctly signed and it can be installed with PowerShell (or of course the Store if the package was in the Store). Although I can't give you a date when it will be fixed, the good news is that AppInstaller is itself an app, so it will get updated to all users fairly quickly once the patch is released (you don't have to wait for a Windows Update).

To answer your other question: a "Trusted Microsoft Store App" is one with a signature that comes from the Microsoft Store, and thus can always be installed. If you sign the package with any other trusted certificate, it simply a "Trusted App" and can only be installed if the user has selected some version of "allow apps from Anywhere" in Settings -> Apps & Features.

Peter Torr - MSFT
  • 11,824
  • 3
  • 18
  • 51