Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I publish the StoreKey.pfx of an UWP application

I have an open source windows store application (UWP). When I associate the application with the store a Package.StoreAssociation.xml and a <AppName>_StoreKey.pfx is created along with some modifications to my Package.appxmanifest (Identity Tag; Name and Publisher Attributes).

  • Can I commit that information to a public git repository (the certificate must be in the repository because I want to build the package with AppVeyor)?
  • Should I encrypt it?
  • Could I revoke the certificate if it leaked?
  • Are the changes to appxmanifest sensitive?
like image 727
mjr Avatar asked Aug 12 '16 16:08

mjr


2 Answers

You should not include <AppName>_StoreKey.pfx file to your public repo. However you can still use AppVeyor CI.

1.Change your *.csproj file to include this information.

<PropertyGroup Condition="('$(Configuration)' == 'Debug') Or ('$(UseTemporarySignCert)' == 'true')">
    <PackageCertificateKeyFile><AppName>_TemporaryKey.pfx</PackageCertificateKeyFile>
</PropertyGroup>
<PropertyGroup Condition="('$(Configuration)' == 'Release') And ('$(UseTemporarySignCert)' != 'true')">
    <PackageCertificateThumbprint><!-- Your <AppName>_StoreKey.pfx Thumbprint Here --></PackageCertificateThumbprint>
</PropertyGroup>

2.Import your <AppName>_StoreKey.pfx certificate to: store location - Current User, Certificate store - Personal

3.Add UseTemporarySignCert environment variable with value true to your AppVeyor project.

As result you will be able to build signed project by your own without <AppName>_StoreKey.pfx in release mode and publish then to the store. And AppVeyor will work with TemporaryKey.pfx.

like image 130
Alex Titarenko Avatar answered Nov 09 '22 19:11

Alex Titarenko


Can I commit that information to a public git repository (the certificate must be in the repository because I want to build the package with AppVeyor)?

For public git repository, the Store key .pfx file should not be committed(Add to .gitignore file). If you want to use the CI system, please create a private repository or append the .pfx file to your cloned project in CI backend.

Should I encrypt it?

This file has been encrypted and it's for signing your app before submitting to Windows Store, see also How to create an app package signing certificate

Could I revoke the certificate if it leaked?

You need to reserved a new app name, see here

Are the changes to appxmanifest sensitive?

Depends on what you have changed, it's very important for Identity and package information in .packagemanifest file. See App package manifest

like image 2
Franklin Chen - MSFT Avatar answered Nov 09 '22 19:11

Franklin Chen - MSFT