
winapp-package
✓ Official★ 1,100by microsoft · part of microsoft/winappcli
Package a Windows app as an MSIX installer for distribution or testing. Use when creating a Windows installer, packaging an…
This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.
name: winapp-package description: Package a Windows app as an MSIX installer for distribution or testing. Use when creating a Windows installer, packaging an Electron/Flutter/.NET/Rust/C++/Tauri app for Windows, building an MSIX, distributing a desktop app, packaging a console app or CLI tool, or adding MSIX packaging to a build script or CI/CD pipeline. version: 0.4.1
When to use
Use this skill when:
- Creating an MSIX installer from a built app for distribution or testing
- Packaging any Windows app — GUI apps, console apps, CLI tools, services, or background processes
- Signing a package with a development or production certificate
- Bundling the Windows App SDK runtime for self-contained deployment
What the command does
- Locates
Package.appxmanifest— looks in input folder, then current directory (or uses--manifest) - Copies manifest + assets into a staging layout alongside your app files
- Discovers manifest-referenced files — any non-image file referenced in the manifest (e.g., AppExtension payloads like
manifest.json, config files) is automatically copied from the manifest directory or input folder if missing from staging - Generates
resources.pri— Package Resource Index for UWP-style resource lookup (skip with--skip-pri) - Runs
makeappx pack— creates the.msixpackage file - Signs the package (if
--certprovided) — callssigntoolwith your certificate
Output: a .msix file that can be installed on Windows via double-click or Add-AppxPackage.
Recommended workflow
- Build your app (
dotnet build,cmake --build,npm run make, etc.) - Package —
winapp package <build-output> --cert ./devcert.pfx - Trust cert (first time) —
winapp cert install ./devcert.pfx(admin) - Install — double-click the
.msixorAdd-AppxPackage ./myapp.msix - Test the installed app from the Start menu
Advanced: External content catalog
For sparse packages with AllowExternalContent, you may need a code integrity catalog:
# Generate CodeIntegrityExternal.cat for external executables
winapp create-external-catalog "./bin/Release"
# Include subdirectories and specify output path
winapp create-external-catalog "./bin/Release" --recursive --output ./catalog/CodeIntegrityExternal.catBundling multiple architectures
Create an MSIX bundle from multiple per-architecture build outputs:
# Create unsigned bundle for Store submission (x64 + arm64)
winapp package ./publish/x64 ./publish/arm64
# Create signed bundle for sideloading
winapp package ./publish/x64 ./publish/arm64 --cert ./devcert.pfx
# Self-contained bundle with Windows App SDK runtime per arch
winapp package ./publish/x64 ./publish/arm64 --self-contained --generate-certHow it works: When multiple input folders are passed, winapp package:
- Detects the architecture of each folder's primary executable from its PE header
- Resolves a manifest for each slice (see below)
- Validates that all slices share the same Identity, Capabilities, and Dependencies
- Packs each folder into an intermediate unsigned
.msix - Bundles them into a single
.msixbundleusingmakeappx bundle - Signs only the bundle (not individual slices) — the signature covers all packages inside
Manifest resolution: Each slice needs a manifest. Resolution order:
--manifest <path>uses one manifest for all slices (architecture auto-stamped per folder)- Per-folder
Package.appxmanifestif present in the input folder - Fallback to
Package.appxmanifestin the current working directory
The ProcessorArchitecture is always force-set to the detected architecture per-slice. All other Identity fields must be consistent across slices.
Output: <Name>_<Version>_<arch1>_<arch2>.msixbundle (architectures sorted alphabetically).
Store submission: An unsigned bundle is valid for Store upload — Partner Center signs it with your reserved identity certificate. For sideloading, pass --cert or --generate-cert.
This hashes executables in the specified directories so Windows trusts them when running with sparse package identity.
CI/CD
GitHub Actions
Use the microsoft/setup-winapp action to install winapp on GitHub-hosted runners:
- uses: microsoft/setup-winapp@v1
- name: Package
run: winapp package ./dist --cert ${{ secrets.CERT_PATH }} --cert-password ${{ secrets.CERT_PASSWORD }} --quietTips for CI/CD pipelines:
- Use
--quiet(or-q) to suppress progress output - Use
--if-exists skipwithwinapp cert generateto avoid regenerating existing certificates - Store your PFX certificate as a repository secret and decode it in CI
- Use
--use-defaults(or--no-prompt) withwinapp initto avoid interactive prompts
Tips
- The
packagecommand aliases topack— both work identically Package.appxmanifestPublisher must match the certificate publisher — usewinapp cert generate --manifestto ensure they match- Use
--skip-priif your app doesn't use Windows resource loading (e.g., most Electron/Rust/C++ apps without UWP resources) - For framework-specific packaging paths (Electron, .NET, Rust, etc.), see the
winapp-frameworksskill - The
--executableflag overrides the entry point in the manifest — useful when your exe name differs from what's inPackage.appxmanifest - For production distribution, use a certificate from a trusted CA and add
--timestampwhen signing withwinapp sign
Related skills
- Need a manifest first? See
winapp-manifestto generatePackage.appxmanifest - Need a certificate? See
winapp-signingfor certificate generation and management - Having issues? See
winapp-troubleshootfor a command selection flowchart and error solutions
Command Reference
winapp package
Create MSIX installer from your built app. Run after building your app. A manifest (Package.appxmanifest or appxmanifest.xml) is required for packaging - it must be in current working directory, passed as --manifest or be in the input folder. Use --cert devcert.pfx to sign for testing. Example: winapp package ./dist --manifest Package.appxmanifest --cert ./devcert.pfx
Aliases: pack
Arguments
<!-- auto-generated from cli-schema.json -->| Argument | Required | Description |
|---|---|---|
<input-folder> | Yes | One or more input folders with package layout. Pass multiple folders to create an MSIX bundle (e.g., winapp pack ./publish/x64 ./publish/arm64). |
Options
<!-- auto-generated from cli-schema.json -->| Option | Description | Default |
|---|---|---|
--cert | Path to signing certificate (will auto-sign if provided) | (none) |
--cert-password | Certificate password (default: password) | password |
--executable | Path to the executable relative to the input folder. | (none) |
--generate-cert | Generate a new development certificate | (none) |
--install-cert | Install certificate to machine | (none) |
--manifest | Path to AppX manifest file (default: auto-detect from input folder or current directory) | (none) |
--name | Package name (default: from manifest) | (none) |
--output | Output file name for the generated package (.msix) or bundle (.msixbundle). Defaults to <name><version><arch>.msix for single packages, or <name><version><arch1>_<arch2>.msixbundle for bundles. | (none) |
--publisher | Publisher distinguished name (DN) for certificate generation (e.g., CN=MyCompany). Bare names are auto-wrapped as CN=<name>. | (none) |
--self-contained | Bundle Windows App SDK runtime for self-contained deployment | (none) |
--skip-pri | Skip PRI file generation | (none) |
winapp create-external-catalog
Generates a CodeIntegrityExternal.cat catalog file with hashes of executable files from specified directories. Used with the TrustedLaunch flag in MSIX sparse package manifests (AllowExternalContent) to allow execution of external files not included in the package.
Arguments
<!-- auto-generated from cli-schema.json -->| Argument | Required | Description |
|---|---|---|
<input-folder> | Yes | List of input folders with executable files to process (separated by semicolons) |
Options
<!-- auto-generated from cli-schema.json -->| Option | Description | Default |
|---|---|---|
--compute-flat-hashes | Include flat hashes when generating the catalog | (none) |
--if-exists | Behavior when output file already exists | Error |
--output | Output catalog file path. If not specified, the default CodeIntegrityExternal.cat name is used. | (none) |
--recursive | Include files from subdirectories | (none) |
--use-page-hashes | Include page hashes when generating the catalog | (none) |
npx skills add https://github.com/microsoft/winappcli --skill winapp-packageRun this in your project — your agent picks the skill up automatically.
Prerequisites
Before packaging, you need:
- Built app output in a folder (e.g.,
bin/Release/,dist/,build/) Package.appxmanifest— fromwinapp initorwinapp manifest generate- Certificate (optional) —
devcert.pfxfromwinapp cert generatefor signing
Usage
Basic packaging (unsigned)
# Package from build output — manifest auto-detected from current dir or input folder
winapp package ./bin/Release
# Specify manifest location explicitly
winapp package ./dist --manifest ./Package.appxmanifestPackage and sign in one step
# Sign with existing certificate
winapp package ./bin/Release --cert ./devcert.pfx
# Custom certificate password
winapp package ./bin/Release --cert ./devcert.pfx --cert-password MyP@ssw0rdGenerate certificate + package in one step
# Auto-generate cert, sign, and package
winapp package ./bin/Release --generate-cert
# Also install the cert to trust it on this machine (requires admin)
winapp package ./bin/Release --generate-cert --install-certSelf-contained deployment
# Bundle Windows App SDK runtime so users don't need it installed (must have winappsdk reference in the winapp.yaml or *.csproj)
winapp package ./bin/Release --cert ./devcert.pfx --self-containedCustom output path and name
# Specify output file
winapp package ./dist --output ./releases/myapp-v1.0.msix --cert ./devcert.pfx
# Custom package name
winapp package ./dist --name "MyApp_1.0.0_x64" --cert ./devcert.pfxInstalling the MSIX for testing
# Trust the dev certificate first (one-time, requires admin)
winapp cert install ./devcert.pfx
# Install the MSIX
Add-AppxPackage ./myapp.msix
# Uninstall if needed
Get-AppxPackage *myapp* | Remove-AppxPackageTroubleshooting
| Error | Cause | Solution |
|---|---|---|
| "Package.appxmanifest not found" | No manifest in input folder or current dir | Run winapp init or winapp manifest generate first |
| "Publisher mismatch" | Cert publisher ≠ manifest publisher | Regenerate cert with winapp cert generate --manifest, or edit manifest |
| "Package installation failed" | Cert not trusted or stale package | Run winapp cert install ./devcert.pfx (admin), then Get-AppxPackage <name> | Remove-AppxPackage |
| "makeappx not found" | Build tools not downloaded | Run winapp update or winapp tool makeappx --help to trigger download |
Licensed under MIT— you can use, modify, and redistribute it under that license's terms.