TMEditX  The Ultimate MSIX Package Editor plus MsixDeploy To Documentation Index

Signing and Re-signing packages

TMeditX will automatically sign your MSIX packages when you to add your code-signing certificate and password into the TMEditX configuration. 

 

You configure this in the tool configuration panel of the File menu tab shown here:

 

The option to update the package version will increment the last (or next to last if keep last level version field to 0 is selected) of your package.  With this option selected, in addition to incrementing the version field internally to the package, if the original file name included the version string, the proposed filename for saving will also increment.

With the "Update Package Publisher from cert" checkbox selected, TMEditX will ensure that the Publisher field in the AppXManifest file matches the subject field of your certificate automatically, updating the manifest when you save the package.

TMEditX now supports three signing modes.

  1. Using the Signtool command (included in the product) with a password protected PFX file. This can be a self-signed certificate or a certificate from a public Certificate Authority if they still provide external files.  When you select the signtool mode 
  2. Using the Digicert KeyLocker service as an option for the package signing (shown above).  The Digicert Tools must be installed and configured separately. This mode will automatically timestamp the signed package using the DigiCert timestamping service.  The KeyLocker Tools must be externally installed and configured on the VM.
  3. Using a certificate on an HSM token device.  We support Digicert devices currently, but we expect that this will work for other vendors as well.  The Digicert/Thwate tool must be installed and configured on the VM as well.  Remoting into the VM with the token plugged in locally seems to work with all remoting protocols and scenarios we have tested.

 For each of these methods you may also specify the url for a timestamping service, such as "http://timestamp.digicert.com" or "http://timestamp.acs.microsoft.com".  Note that these must be http references and not https.