Clarify SDK vs. Runtime requirements #326
Comments
ghost
added
the
Needs-Triage
anarvekar-msft
removed
the
Needs-Triage
|
I have done the work and I can report back:
<PropertyGroup>
<CreatePackageMakeAppxParameters>/pb "C:/[full-path-worked-for-me]/certificate-migration-2022-pb.txt"</CreatePackageMakeAppxParameters>
<CreateResourcePackageMakeAppxParameters>/pb "C:\[full-path-worked-for-me]\certificate-migration-2022-pb.txt"</CreateResourcePackageMakeAppxParameters>
<AppxPackageSigningEnabled>false</AppxPackageSigningEnabled>
</PropertyGroup>I set But with |
You are correct. It says Insider Preview Build 22000 because at the time this was introduced Windows 11 was still a surprise :)
No. This is a new feature in Windows, so older builds will not be able to correctly handle apps prepared in this way.
The publisher in the AppxManifest.xml and the cert subject must match each other for you to be able to sign and install. If your new certificate has a different subject, you can still sign the new version of your app with a different publisher, but it will be seen as a completely different app from older versions and you will not be able to update from them.
Yes. The Publisher is the only relevant field.
"Install" should be "trust". If you are using a self-signed certificate (e.g., for dev testing), to trust it you will have to install it. For a certificate issued by a CA, the cert for the root CA will probably already be in your machine and you won't have to install anything.
You don't. What needs to be timestamped is the artifact (CAB), which I agree is not what the docs say. @dianmsft can you update the docs?
Yes. Unfortunately, MSBuild currently doesn't support MSIX Persistent Identity, so it always assumes that the publisher and cert subject match. |
|
@lechacon Thank you for the very thorough reply. Please update the documentation around this feature with this feedback and the couple of other issues raised before by other customers. Has servicing this feature to Windows 10 been considered? Honestly, this is the biggest pain point for us since we adopted MSIX. |
|
Unfortunately, the fact that "MSBuild currently doesn't support MSIX Persistent Identity" makes this next to useless. We use the Visual Studio "Create App Package" feature, which in turn uses MSBuild, which creates a very different set of packages and files. Also unfortunately, there's no documentation regarding what commands VS issues to MSBuild, so its impossible to produce the same output while using MSIX Persistent Identity/Publisher Bridging. |
This sentence is not clear at all. "Windows Insider Preview Build 22000" most likely should be "Windows 11".
However, it is more important to describe clearly what the requirements are: Can users on Windows 10 1909 install apps signed/prepared in this way? What happens if I do not follow these steps? I guess this process is needed if the certificate details of the old cert don't match the new ones? What fields are relevant here?
I saw multiple people asking about this before, but can you please expand on this crucial point?
You say "In order to use this feature and to persist the original package identity that was signed with old certificate, you will need to install the old certificate." Source
What does "install" mean in this context? How would I timestamp a public certificate? Does it matter for this if the old certificate is self-signed or publicly signed?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: