none
UWP Certificate Question for Windows 10 RRS feed

  • Question

  • After quite a bit of searching I just couldn't seem to find an answer to this question...

    When an external certificate is used to sign a UWP app for non-developer side-load installation, how long is this certificate valid for and what happens when it expires?

    i.e. let's say I buy a one year code signing cert from GoDaddy -- what happens when that cert expires?  Will my application no longer install?  More importantly, will it no longer run?  

    If I generate my own certificate (i.e. similar to how the VS test certificate is created) and configure it to remain valid until 2100, would this work?

    Thank you in advance for your consideration and time!


    Wednesday, August 31, 2016 4:25 PM

Answers

  • Hello,
    >I buy a one year code signing cert from GoDaddy --what happens when that cert expires?  Will my application no longer install?  More importantly, will it no longer run?  
    When your code signing certificate expires, your signature will have been invalid because it cannot even pass the local validation. What you’re supposed to do is to get a new certificate and upload a new file signed with your new digital certificate. You app can still be installed and run normally once you have updated your certificate.
    >If I generate my own certificate (i.e. similar to how the VS test certificate is created) and configure it to remain valid until 2100, would this work?
    Of course that self-generated certificate can also be effective on your app for sideloading. But as far as I’m concerned, the default certificate generated by Visual Studio expires one year after the date on which it was created. Thus I think you might not be able to configure your certificate to remain valid for so long.
    More details about renewing certificate, see here.
    Hope it helps.

    Best regards,

    Mattew Wu


    Thursday, September 1, 2016 9:04 AM
    Moderator
  • Hi Shaun,
    >1) Once a code signing certificate expires what happens to the installed application?  Does it continue to run without errors?
    The purpose of code signing is to ensure the security when deploying apps, which can not only verify the identity of the app author or build organization, but also help to make sure that the app or object has not been modified by someone else. So the code signing certificate mostly makes sense when you creating package no matter for the Store or sideloading on device. For sideloading apps, the certificate prove that this app should be trusted to this device.
    While for the installed application, I think it can go on without errors only if you don’t plan to update it anymore.
    >2) What is the best practice for sideloading apps -- and not having to reinstall with a new certificate on a recurring basis (i.e. annually)?
    Sideloading apps require you need to have:
    • Devices unlocked for sideloading
    • Certificate assigned to app
    • Signed app package
    And the sideloading steps on desktop are different from what we do on mobile. More details please refer to Sideload LOB apps in Windows 10
    When you update your app or repackage it , we are supposed to renew the certificate once it expires. It’s the certificate that verify the origin of app and protect it from being modified.
    Thank you!
    Best regards,
    Mattew Wu

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.

    Click HERE to participate the survey.


    Friday, September 2, 2016 4:41 AM
    Moderator

All replies

  • Hello,
    >I buy a one year code signing cert from GoDaddy --what happens when that cert expires?  Will my application no longer install?  More importantly, will it no longer run?  
    When your code signing certificate expires, your signature will have been invalid because it cannot even pass the local validation. What you’re supposed to do is to get a new certificate and upload a new file signed with your new digital certificate. You app can still be installed and run normally once you have updated your certificate.
    >If I generate my own certificate (i.e. similar to how the VS test certificate is created) and configure it to remain valid until 2100, would this work?
    Of course that self-generated certificate can also be effective on your app for sideloading. But as far as I’m concerned, the default certificate generated by Visual Studio expires one year after the date on which it was created. Thus I think you might not be able to configure your certificate to remain valid for so long.
    More details about renewing certificate, see here.
    Hope it helps.

    Best regards,

    Mattew Wu


    Thursday, September 1, 2016 9:04 AM
    Moderator
  • Thank you Matthew for your helpful response.  For side-loaded applications within the enterprise I can't be expected to re-issue a new app with a renewed certificate yearly.  If you could address one of the original (and critical in my opinion) questions I would be very grateful:

    1) Once a code signing certificate expires what happens to the installed application?  Does it continue to run without errors?

    2) What is the best practice for sideloading apps -- and not having to reinstall with a new certificate on a recurring basis (i.e. annually)?

    Thanks,

    Shaun

    Thursday, September 1, 2016 5:43 PM
  • Hi Shaun,
    >1) Once a code signing certificate expires what happens to the installed application?  Does it continue to run without errors?
    The purpose of code signing is to ensure the security when deploying apps, which can not only verify the identity of the app author or build organization, but also help to make sure that the app or object has not been modified by someone else. So the code signing certificate mostly makes sense when you creating package no matter for the Store or sideloading on device. For sideloading apps, the certificate prove that this app should be trusted to this device.
    While for the installed application, I think it can go on without errors only if you don’t plan to update it anymore.
    >2) What is the best practice for sideloading apps -- and not having to reinstall with a new certificate on a recurring basis (i.e. annually)?
    Sideloading apps require you need to have:
    • Devices unlocked for sideloading
    • Certificate assigned to app
    • Signed app package
    And the sideloading steps on desktop are different from what we do on mobile. More details please refer to Sideload LOB apps in Windows 10
    When you update your app or repackage it , we are supposed to renew the certificate once it expires. It’s the certificate that verify the origin of app and protect it from being modified.
    Thank you!
    Best regards,
    Mattew Wu

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.

    Click HERE to participate the survey.


    Friday, September 2, 2016 4:41 AM
    Moderator
  • Thank you!
    Tuesday, September 6, 2016 11:45 PM
  • I just wanted to reply back and provide some color for this conversation.  1) Anyone can generate a certificate with a configurable expiration.  I set mine to 10 years forward.  2) As long as that certificate is installed in Windows 10, and *Developer* side-load is enabled, the app will install and run.  To have the side-load only option work you need to buy a cert from MS with an XML license file.  Sound right?
    Thursday, September 15, 2016 2:34 PM