Search code examples
certificatedigital-signaturecode-signingmsix

Why does a signed and timestamped UWP app become "untrusted" once the security certificate expires?

Take a look at the attached image. This is a appx that is signed by Microsoft. The signature is timestamped. But, it's now an "Untrusted App."

Just had this happen to my software. I can't resign old application packages (Appx, MSIX, Appxbundle, or MSIXBundle) with my new certificate.

From a business standpoint, this is horrible.

Is there a way to sign an Appx bundle or MSIX bundle without it being listed as untrusted in the future?

Edit:

Honestly, I'm not sure if this is just my systems. I hope it's just my network, or something. But, I'd like to figure this out. Seems very important.

Some updates:

  1. Didn't find anything of value in the Event Log.
  2. I'm hoping my system is torn, because if this is the new normal, this is bad for business.
  3. Here's the Microsoft signed and timestamped Appx. If someone else could verify if this is Trusted, Untrusted, or "Trusted Microsoft Store App," please post here.

I guess the questions are:

  • Do signed and timestamped Appx/MSIX packages become "untrusted" after the certificate expires?
  • If not, what's causing it on my system?
  • If so, what is a "Trusted Microsoft Store App," and is it immune to this effect?
  • Also, if so, why? What are we trusting anyway? Does authenicode work or not? What authority, and by what mechanism, does trust derive?

Cheers!

drake wants the appx cheat codes

Signed by Microsoft, timestamped, but no longer trusted?

Solution

  • This is a known bug in the AppInstaller UX; the file is correctly signed and it can be installed with PowerShell (or of course the Store if the package was in the Store). Although I can't give you a date when it will be fixed, the good news is that AppInstaller is itself an app, so it will get updated to all users fairly quickly once the patch is released (you don't have to wait for a Windows Update).

    To answer your other question: a "Trusted Microsoft Store App" is one with a signature that comes from the Microsoft Store, and thus can always be installed. If you sign the package with any other trusted certificate, it simply a "Trusted App" and can only be installed if the user has selected some version of "allow apps from Anywhere" in Settings -> Apps & Features.