Labsco
microsoft logo

winapp-signing

✓ Official1,100

by microsoft · part of microsoft/winappcli

Create and manage code signing certificates for Windows apps and MSIX packages. Use when generating a certificate, signing a Windows app or installer, or…

🔥🔥🔥🔥✓ VerifiedFreeQuick setup
🧰 Not standalone. This skill ships with microsoft/winappcli and only works together with that tool — install the tool first, then add this skill.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.


name: winapp-signing description: Create and manage code signing certificates for Windows apps and MSIX packages. Use when generating a certificate, signing a Windows app or installer, or fixing certificate trust issues. version: 0.4.1

When to use

Use this skill when:

  • Generating a development certificate for local MSIX signing and testing
  • Installing (trusting) a certificate on a machine so MSIX packages can be installed
  • Signing an MSIX package or executable for distribution

Key concepts

Publisher matching: The publisher in your certificate must exactly match the Publisher attribute in Package.appxmanifest. Any valid X.500 distinguished name is supported (e.g., CN=MyCompany or OU=Team, O=Corp, C=US). Use --manifest when generating to auto-match.

Dev vs. production certs: winapp cert generate creates self-signed certificates for local testing only. For production distribution (Microsoft Store or enterprise), obtain a certificate from a trusted Certificate Authority.

Default password: Generated certificates use password as the default PFX password. Override with --password.

Recommended workflow

  1. Generate certwinapp cert generate (auto-infers publisher from manifest)
  2. Trust cert (one-time) — winapp cert install ./devcert.pfx (run as admin)
  3. Package + signwinapp package ./dist --cert ./devcert.pfx
  4. Distribute — share the .msix; recipients must also trust the cert, or use a trusted CA cert

Tips

  • Always use --manifest (or have Package.appxmanifest in the working directory) when generating certs to ensure the publisher matches automatically
  • For CI/CD, store the PFX as a secret and pass the password via --password rather than using the default
  • winapp cert install modifies the machine certificate store — it persists across reboots and user sessions
  • Use --timestamp when signing production builds so the signature survives certificate expiration
  • You can also use the shorthand: winapp package ./dist --generate-cert --install-cert to do everything in one command

Related skills

  • Need to create a manifest first? See winapp-manifest to generate Package.appxmanifest with correct publisher info
  • Ready to package? See winapp-package to create and sign an MSIX in one step
  • Having issues? See winapp-troubleshoot for common error solutions

Command Reference

winapp cert generate

Create a self-signed certificate for local testing only. Publisher must match the manifest (auto-inferred if --manifest provided or Package.appxmanifest is in working directory). Output: devcert.pfx (default password: 'password'). For production, obtain a certificate from a trusted CA. Use 'cert install' to trust on this machine.

Options

<!-- auto-generated from cli-schema.json -->
OptionDescriptionDefault
--export-cerExport a .cer file (public key only) alongside the .pfx(none)
--if-existsBehavior when output file exists: 'error' (fail, default), 'skip' (keep existing), or 'overwrite' (replace)Error
--installInstall the certificate to the local machine store after generation(none)
--jsonFormat output as JSON(none)
--manifestPath to Package.appxmanifest or appxmanifest.xml file to extract publisher information from(none)
--outputOutput path for the generated PFX file(none)
--passwordPassword for the generated PFX filepassword
--publisherPublisher distinguished name (DN) for the generated certificate (e.g., CN=MyCompany or OU=Team, O=Corp, C=US). If not specified, will be inferred from manifest. Bare names are auto-wrapped as CN=<name>.(none)
--valid-daysNumber of days the certificate is valid365

winapp cert install

Trust a certificate on this machine (requires admin). Run before installing MSIX packages signed with dev certificates. Example: winapp cert install ./devcert.pfx. Only needed once per certificate.

Arguments

<!-- auto-generated from cli-schema.json -->
ArgumentRequiredDescription
<cert-path>YesPath to the certificate file (PFX or CER)

Options

<!-- auto-generated from cli-schema.json -->
OptionDescriptionDefault
--forceForce installation even if the certificate already exists(none)
--passwordPassword for the PFX filepassword

winapp cert info

Display certificate details (subject, thumbprint, expiry). Useful for verifying a certificate matches your manifest before signing.

Arguments

<!-- auto-generated from cli-schema.json -->
ArgumentRequiredDescription
<cert-path>YesPath to the certificate file (PFX)

Options

<!-- auto-generated from cli-schema.json -->
OptionDescriptionDefault
--jsonFormat output as JSON(none)
--passwordPassword for the PFX filepassword

winapp sign

Code-sign an MSIX package or executable. Example: winapp sign ./app.msix ./devcert.pfx. Use --timestamp for production builds to remain valid after cert expires. The 'package' command can sign automatically with --cert.

Arguments

<!-- auto-generated from cli-schema.json -->
ArgumentRequiredDescription
<file-path>YesPath to the file/package to sign
<cert-path>YesPath to the certificate file (PFX format)

Options

<!-- auto-generated from cli-schema.json -->
OptionDescriptionDefault
--passwordCertificate passwordpassword
--timestampTimestamp server URL(none)