license: Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
You can learn more about signing and packaging of Windows Store Apps on MSDN.
To be able to correctly package and sign Windows apps there are few things required:
In Windows project, identity details are kept in a file named package.appxmanifest. This file is automatically populated every time a Cordova app is built. Identity holds 3 important fields.
Name and Version can be set from config.xml. Publisher can be provided as a build parameter or can be set on build.json file.
A signing certificate can be provided from either CLI or through build.json file. The certificate related CLI flags are:
--packageCertificateKeyFile
: Once a package signing certificate is created, this parameter can be used to associate the certificate with the app. This flag takes a file path as an argument. Eg. > cordova build -- --packageCertificateKeyFile="platforms\windows\CordovaApp_TemporaryKey.pfx"
--packageThumbprint
: Package thumbprint is used to validate the authenticity of package certificate key file. When creating a certificate key file, this value will be provided to the end user. Eg. > cordova build -- --packageCertificateKeyFile="platforms\windows\CordovaApp_TemporaryKey.pfx" --packageThumbprint="ABCABCABCABC123123123123"
Alternatively, these values could be specified using a build configuration file (build.json) using CLI (--buildConfig). A sample build configuration file:
{ "windows": { "debug": { "packageCertificateKeyFile": "platforms\\windows\\CordovaApp_TemporaryKey.pfx" }, "release": { "packageCertificateKeyFile": "c:\\path-to-key\\keycert.pfx", "packageThumbprint": "ABCABCABCABC123123123123", "publisherId": "CN=FakeCorp.com, L=Redmond, S=Washington, C=US" } } }
There is also support to mix and match command line arguments and parameters in build.json file. Values from the command line arguments will get precedence.
Signing is required for distributing and installing Windows Store apps. This process is normally handled by Visual Studio when you deploy a package for release. To do tmhis without Visual Studio we need to create our own certificates.
For creating certificates we need to use makecert.exe util. This tool ships with Windows SDK and can be found under %ProgramFiles(x86)%\Windows Kits\8.1\bin\x64
or %ProgramFiles(x86)%\Windows Kits\8.1\bin\x86
.
The first thing we need to do is to create a root key for signing our app.
makecert.exe -n "CN=FakeCorp.com" -r -eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" -e "01/01/2020" –h 0 -sv FakeCorp.com.pvk FakeCorp.com.cer
To understand what makecert does, here's a brief explanation of what parameters do:
After running makecert for the first time, enter the private password on the screen that pops up:
Once pvk and cer file is created, we need to create a pfx file from these certificates. A pfx (Personal Exchange Format) file contains a variety of cryptographic information, such as certificates, root authority certificates, certificate chains and private keys. To package the certs, we will use the a tool called pvk2pfx. This tool ships with Windows SDK and can be found under %ProgramFiles(x86)%\Windows Kits\8.1\bin\x64
or %ProgramFiles(x86)%\Windows Kits\8.1\bin\x86
.
pvk2pfx -pvk FakeCorp.com.pvk -pi pvkPassword -spc FakeCorp.com.cer -pfx FakeCorp.com.pfx -po pfxPassword
Where:
If we provide this pfx file to build.json file, we will have the following error: “The key file may be password protected. To correct this, try to import the certificate manually into the current user's personal certificate store.”. In order to import it we have to use certutil from an admin prompt:
certutil -user -p PASSWORD -importPFX FakeCorp.com.pfx
Where:
Once installed, next step is to add packageThumbprint and packageCertificateKeyFile to build.json. In order to find the packageThumbprint, search for the CommonName we've associated with the certificate:
powershell -Command " & {dir -path cert:\LocalMachine\My | where { $_.Subject -like \"*FakeCorp.com*\" }}"
Once these final values are provided. Cordova should successfully package and sign the app.