Discussion: Simplify deployment for packaged app that not in store

[Tlaster]

Discussion: Simplify deployment for packaged app that not in store

Currently, to deploy a UWP app that you don't want to publish to ms store for whatever reason, you need to deliver the certificate to the end-user, the end-user needs to enable developer mode, install the certificate then install the actual app. or use the PowerShell script, it's a bit more complicate for the end-user, and it will deliver multiple files to the end-user.

I think it would be better to have just one install package file and just "click -> install -> run" without dealing with the certificate and other things. Just like Android's APK file, it does obtain a signature but the end-user will never notice that.

[tesar-tech]

Yes please. That pain when client says "just send me the .exe" and you have to explain why is it more complicated than it was 10 years ago...

[jvintzel]

Do you have more information on the certificate you are using? Anything that we can verify authenticity does not require extra steps. Adding a certificate is usually only required for enterprises when they are using their own root, but usually deploy in mass to their devices. If you are using a self signed certificate that offers not authenticity and is basically equivalent to not signing code.

If the issue is the type of signing certificate we plan on launching a preview of the Azure Trust Service this summer. The goal is to reduce the friction in signing flows for developers. The first part of this presentation covers the plans for code signing. MSIX Build

Edit (addressing dev mode comment) For the developer mode concern, developer mode is only needed for debugging. There was a sideloading mode that needed to be enabled for enterprise edition (off for legacy compat reasons), it was on by default in Pro and Home. Due to this feedback from developers and consumers; starting in the May 2020 update (2004) the sideloading setting has been removed and apps can be installed from any source similar to other installer techs.

[Tlaster]

starting in the May 2020 update (2004) the sideloading setting has been removed and apps can be installed from any source similar to other installer techs

Great to hear that:)

Just clarify that it's not the problem of the certificate, it's the installation process that makes the end-user a little bit confused, they usually ask why can't just open a single installation file and click install then everything is good to go, just like what they used to.

For example, currently, when you create an app package for a UWP app with sideloading, you need a certificate, after build finish, there will be a folder that contains the app with files like *.msixbundle, Install.ps1, *.cer and some subfolder. You will need to deliver the whole folder to the end-user and tell them to run Install.ps1 to install the app. Or you will need to tell the user how to install *.cer file first like this

This is much more complex than the "traditional" way like the installation process of vscode, you just have to download a single file, open it, install it, and everything is good to go.

Edit: I think it's for the independent dev to deliver their apps to the end-user. Is Azure Trust Service for the enterprise user? because independent dev might not have an Azure subscription.

[lhak]

I think it would be helpful if the appinstaller app offered the possibility to install a self-signed certificate (of course only if the user has admin rights) when the msix file is opened. Currently, only the powershell install script includes this functionality.

[ghost]

you are using a self signed certificate that offers not authenticity and is basically equivalent to not signing code. If the issue is the type of signing certificate we plan on launching a preview of the Azure Trust Service this summer. The goal is to reduce the friction in signing flows for developers.

@jvintzel it was supposed to be launched last summer right? open source developers are in need of this very service. can we now expect an answer please since it's already past 1 year?

[lcsondes]

it's a bit more complicate for the end-user

It's not a "bit" more complicated. This is an absolute showstopper for many deployment scenarios and invalidates an entire family of new MS tech that would otherwise be appropriate if it didn't essentially force MSIX.

[riverar]

Can you elaborate on why you think this is a showstopper? I don't see any difference here from traditional software rollout.

[riverar]

It seems a lot of friction here revolves around the distribution and installation of self signed packages by end users. This is not normal, and not something you should be doing beyond development/test.

[lcsondes]

This is not normal, and not something you should be doing beyond development/test.

Making a regular MSI without any of the ceremony is normal, works out of the box, and doesn't require buying (management is happy) or juggling certificates (devs are happy).

I understand the reasoning behind all this signature business, but it doesn't work in practice. It's a showstopper because the friction is too much and makes ignoring msix the straightforward choice. Don't use it and everything works again out of the box for everyone. Why bother with this new thing with no immediate and clear benefits but plenty of drawbacks?

[ghost]

I understand the reasoning behind all this signature business, but it doesn't work in practice.

do tell what works then ? making everything free ? you aware that "FrEe SoFtWaRe FoUnDaTiOn Cult " also runs on sucking donations/money right ?

Advice : I understand the frustration but making everything free is not the way the world works. Nothing is free is in this world. Instead You could've asked to make certificates prices affordable for indie devs.

Don't use it and everything works again out of the box for everyone.

as you seem to figure it out, keep using MSI then.

Why bother with this new thing

why bothering here in the first place ? to vent ?