Code signing windows store apps for sideloading (with a GoDaddy certificate)

StackOverflow https://stackoverflow.com/questions/14996305

Question

I need to sign an enterprise Windows Store app I've developed ,so that users can sideload it into their devices.

I'm in the process of obtaining a code signing certificate from GoDaddy. A lot of the next steps are still hazy for me - any additional details will be appreciated.

What I've done so far

  • The application is tested, and I was able to deploy it on machines that have a developer license.
  • Purchased a code signing certificate from Daddy but didn't know what to do next (based on past experience I thought I needed to generate a key pair and a certificate signing request on my developer machine)
  • Called GoDaddy support who said I actually need a driver signing certificate rather than a code signing certificate. The cost was the same so they instantly switched my purchase.
  • It turns out there is an automatic process for generating a CSR on Windows, but you have to use Internet Explorer for that. Apparently, the cryptographic stuff is somehow handled transparently by Internet Explorer and the GoDaddy website. I would love to know more about what is actually going on there.
  • As part of the process you need to provide the legal name and official address / phone of the software publisher (my client in this case).
  • Once you submit the request, it has to be approved by GoDaddy (who should somehow verify that I am authorized by the publisher to sign code on its behalf).

Next steps

  • I assume GoDaddy will need to receive some documents from the publisher. I'd love to know how that process works and how long it takes.
  • Once the certificate is issued, I expect there will again be some easy way to install it on my development machine. Question: is there a way to move the keys and the certificate to another machine?
  • I also expect Visual Studio (I'm using 2012 Express edition for Windows 8) to be able to use the certificate when creating app packages. Will I need to do some special setup for that or will it be straightforward (part of the "Create app package" wizard) ?
  • Some of the details I've put on the certificate signing request will eventually be visible on the actual certificate (visible to the persons installing the application). Which ones?
Was it helpful?

Solution

After completing the process here are my own answers:

  • It turns out the GoDaddy support representative was wrong when advising me to use a driver signing certificate. I needed a code signing certificate.
  • The certificate does not show the details of the contact person (which are included in the certificate signing request). You can see the certificate details before you submit the request (I missed it initially). In my case the details shown are the company name, city, state and country.
  • The documentation requirements depend on the company requesting the certificate (in some cases they may not need any documents at all). GoDaddy has very friendly support, so you should can the requirements from them. The process can take a few days to complete (but they may be able to help in doing it faster).
  • When using Internet Explorer both for the certificate request phase and installation phase, the process is seamless. I believe it uses Microsoft's Certificate Enrollment API (which is also described in this MSDN blog post)
  • As mentioned by JP Alioto, the process for using the certificate is described in the article "Signing an app package (Windows Store apps)". To use the new certificate in a specific project:
    • Open the projects .appxmanifest file
    • Go to the "Packaging" tab
    • Next to the publisher field, click "Choose Certificate"
    • In the dialog that pops up click "Configure Certificate" and select the drop down option "Pick from certificate store ..". The certificate should be available as one of the options.
  • To export a certificate, you can use the following process:
    • Run certmgr.msc
    • Locate the certificate
    • Right-click > All Tasks > Export to launch the certificate export wizard, which has an option to export the private key
      • Warning: the private key is supposed to be personal and you should protect it. It is probably OK if you copy it to another machine that you control (assuming nobody can snatch it in transit). Sharing it with someone else may be risky. I was not able to find information about how exactly the private key is used by Windows, but it may be a bad idea to have several people share a private key.
  • To import the certificate and private key from a PFX file, right click on the file in Windows Explorer, and elect "Install PFX". This will launch a straight-forward "Certificate Import Wizard".

OTHER TIPS

Lots of stuff there. :) There are are few documents you need to read:

Reading and understanding these documents will give you a better idea of what's going on. Are you sure the enterprise you're deploying for does not already have a trusted root certificate that they deploy to their desktop images? If they do, it may be easier to use that private key to sign the app. (The only reason a public certificate authority is recommended is that you will then not have to deploy the certificate to the target machines.)

You can move certificates (and private keys unfortunately) in the evil PFX format which is basically a PKCS #12 portable key file. But, be very careful how you move that file around. It contains both your public key and your encrypted private key.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top