Skip to content

Document automating MSIX signing in the Visual Studio / MSBuild build#478

Open
RDMacLachlan wants to merge 1 commit into
MicrosoftDocs:mainfrom
RDMacLachlan:users/romaclac/docbug-24788320
Open

Document automating MSIX signing in the Visual Studio / MSBuild build#478
RDMacLachlan wants to merge 1 commit into
MicrosoftDocs:mainfrom
RDMacLachlan:users/romaclac/docbug-24788320

Conversation

@RDMacLachlan

Copy link
Copy Markdown
Collaborator

Resolves the doc gap behind Azure Boards work item AB#24788320.

Background

The original bug (filed 2020) asked for post-build scripting steps to sign an MSIX from Visual Studio using Device Guard Signing (DGSS). DGSS is now retired—Microsoft Store for Business/Education (which DGSS required) were retired on 2023-03-31—and package/signing-package-device-guard-signing.md already carries a retirement banner redirecting to Azure Trusted Signing. Documenting new DGSS scripting would document a dead service.

The legitimate, still-open need behind the bug is automating MSIX signing as part of the Visual Studio / MSBuild build, which wasn't covered: the end-to-end guide documented CLI + CI (GitHub Actions, Azure DevOps), and sign-with-akv-cert.md covered the interactive Create App Packages wizard, but neither documented build-time MSBuild signing.

Change

Added an "Automate signing in your Visual Studio build (MSBuild)" section to package/sign-msix-package-guide.md:

  • MSBuild signing properties: AppxPackageSigningEnabled, PackageCertificateThumbprint / PackageCertificateKeyFile / PackageCertificatePassword, AppxPackageSigningTimestampServerUrl / AppxPackageSigningTimestampDigestAlgorithm.
  • Command-line / CI msbuild examples using a store certificate or a .pfx file.
  • How to configure signing so Visual Studio signs on every build.
  • Post-build signing with Azure Artifact Signing / Azure Key Vault (build unsigned, then sign the produced .msix), linking to the existing sections.
  • Bumped ms.date and added msbuild, visual studio keywords.

Property names verified against Microsoft Learn.

The original bug asked for post-build scripting steps to sign an MSIX from
Visual Studio using Device Guard Signing (DGSS). DGSS is retired (Microsoft
Store for Business/Education retired 2023-03-31) and the DGSS article already
redirects to Azure Trusted Signing, so documenting new DGSS scripting is
obsolete. Instead, fill the still-open gap with modern guidance.

Add an "Automate signing in your Visual Studio build (MSBuild)" section to the
end-to-end signing guide covering:
- MSBuild signing properties (AppxPackageSigningEnabled,
  PackageCertificateThumbprint/KeyFile/Password, timestamp URL and algorithm)
- Command-line / CI examples using a store certificate or a .pfx file
- How to sign automatically inside Visual Studio
- Post-build signing with Azure Artifact Signing / Azure Key Vault (build
  unsigned, then sign the produced .msix)

Resolves AB#24788320

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 02d8339:

✅ Validation status: passed

File Status Preview URL Details
msix-src/package/sign-msix-package-guide.md ✅Succeeded

For more details, please refer to the build report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant