Closed Bug 1725446 Opened 5 months ago Closed 4 months ago

Generate Code Integrity catalog when packaging MSIX


(Firefox :: Installer, enhancement, P3)






(Reporter: nalexander, Unassigned)


(Blocks 1 open bug)


This is from :agashlin in a different medium: "The makemsix signing branch that we use in automation doesn't generate a Code Integrity catalog when signing the package, unlike makeappx.exe. I assume that when Microsoft signs the package for the store they use makeappx.exe, we may need to do this as well for testing. This lack of Code Integrity may also be missed by some enterprise MSIX users."

This ticket tracks including a Code Integrity catalog when packaging MSIX, possibly by teaching makemsix how to so.

If this is a hard blocker, we could try using Wine to run makeappx.exe, or we could run the relevant MSIX jobs on Windows directly.

Minor correction to myself: the signing would be done by signtool, not makeappx.

Priority: -- → P3

I no longer think there's any application for this: If an enterprise is enforcing code integrity independent of the Store, they'd want to sign the Code Integrity catalog with their own key to limit the binaries that are allowed to run.

Closed: 4 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.