Digital Signature
This page can be used to digitally sign your Windows Store App package. A valid certificate will be required in order to digitally sign the package.
Enable signing
You will be able to sign the package by checking this checkbox.
Reset All
This button can be used to clear all fields.
Software Publisher Certificate
Use certificate from system store
Choose one of the currently installed certificates.
<Most suited certificate> - By checking this option, "SignTool.exe" will use the best certificate from the system certificates store to sign the files.
To view or manage certificates inside the system store, you can use use
            certmgr.msc tool (Press Windows Key +
            R, type "certmgr.msc" and press enter).
Use file from disk
When this option is selected, the certificate used to sign the files is loaded from a local disk file. You will be requested to specify the path of the certificate from the hard disk each time you pick this option.
Advanced Installer supports both Personal Information Exchange PKCS #12
            (.pfx) and X509 (.cer) certificates.The .pfx
          certificates contain both the public and private keys. The .cer
          certificates contain only the public key, the private key being stored onto an USB eToken
          (protected by password).
Certificate - The path to the certificate on disk is provided in this field. You can choose a certificate from your hard drive by pressing the button in the same field.
PFX certificates are recommended, you can use either pvkimprt or pvk2pfx to create a
          PFX certificate from the SPC and PVK files. If the PFX file is protected with a password,
          the “Selected certificate requires a password. Select how to transmit it to signing tool:”
          section will be visible.
- pvk2pfx is available as part of the Platform SDK.
Private Key - The “Private Key”. You can choose one from your hard drive by pressing the button. Due to the lack of a distinct private key file in PFX certificates, this field is hidden by default.
Enter a password each time project is built - You will be prompted to enter the password when the AppX package is built.
Because Advanced Installer remembers the password for PFX files, you will only be asked for it
          once.
Store encrypted password in the project file - The encrypted password will be retained in the project and used to sign the installation files throughout the build process. This is a valuable option for unattended builds.
Password - The password for the PFX certificate.
Confirm password - Confirm the PFX certificate password.
Use from Azure Key Vault
Please visit this article in order to have a better understanding of this functionality: Azure Key Vault basic concepts.
Signing using a certificate from Azure Key Vault only works on Windows
          10.
Tenant ID
The Azure active directory where Key Vault resides. This field is mandatory!
App ID
The Azure application's identifier that has access to the Key Vault. This field is required!
Vault Name
The name of the Key Vault. This field is mandatory!
Certificate Name
The name of the certificate stored in the Key Vault. This is a mandatory field!
Certificate Version
Multiple versions of a certificate can be kept in a Key Vault. A version is identified by the string contained in this field.
When this field is empty, Azure Key Vault signs with the latest certificate
            version.
Client Secret
When a file is signed, the user will be prompted to enter the Client secret associated with the application identified with ID - App ID. The Client secret is not stored in the project file.
Using command line
When using Advanced Installer from command line, you can set the Client secret using the following command: SetAzureKeyVaultSecret
Due to the fact that the Client secret is not stored in the
            project file, SetAzureKeyVaultSecret command can be used only from
            a .AIC command file.
For increased security, the Client secret can be stored in an Environment variable using -secret_is_env_var_name switch. With this switch, the command will interpret that the name entered as a parameter is an environment variable.
Use Device Guard for signing
Device Guard signing only works on Windows 10.
You'll need an Azure account setup for Device Guard signing in order to sign a package with Device Guard. See this article if you need to learn more about the setup: Sign an MSIX package with Device Guard signing
The Publisher ID from Package Information
            Page must adhere to the following format:
            CN=account_name.onmicrosoft.com
Using command line
You can set Device Guard sign account name and password using the following command: SetMsActiveDirectoryCredentials.
SetMsActiveDirectoryCredentials command can only be used
            from a .AIC command file due to the
            fact that the password is not saved in the project or the registry.
Example of a command file
SetMsActiveDirectoryCredentials -username user_name -password account_password [-password_is_env_var_name] build -buildslist Build_MSIX_APPX -force
Alternatively, you can use the optional command line parameter
                [-password_is_env_var_name] to provide an environment variable
              where the password is saved instead of the actual password.
Signing a file using Device Guard may result in an error indicating that the
              timestamp cannot be applied if the account is not correctly configured for Device
              Guard signing.
Signature Properties
Signature properties are required to display the exact AppX package name on the UAC prompt.
Description
This field contains the signed content's description. It will be shown by the Windows UAC after you click the "Install" button.
Description URL
This field includes a link to a page that offers a detailed explanation of the signed content. The URL will be used in the "Open File - Security Warning" box when the package is opened from an untrusted place (for example, the network), where the "Name" field will become a link to the URL you supplied.
Timestamp service URL
A digital certificate has a validity period. After that time period has expired, the signed code is no longer considered certified. To avoid this, a Time Stamp can be added at the signing moment, indicating that the certificate was valid at the time of the signing.
The “Time Stamp URL” specifies the URL of the time stamp server.
        This URL points to a DLL located on a server that is used for this purpose. An example of
        such a server is:
https://sectigo.com/resource-library/time-stamping-server.
Signing AppX packages is supported only on Windows 8 or later OS.
Timestamp delay (ms)
This parameter allows you to set the number of milliseconds that Advanced Installer should wait between two consecutive signing procedures.