Extended Validation (EV) and the Windows Store

Update – 11/21/2016

There’s currently an issue with the Windows Dev Center registration page which causes the a properly signed XML file to fail on upload. I am working with the Microsoft team responsible for Windows Dev Center to get the issue resolved and will provide an update as soon as it’s fixed.

For now the MSFT team has asked that you work directly with MSFT Dev Center Support.  You can contact them at, Microsoft Support, and selecting either the “Chat now” or “Submit an incident” button.

The good, the bad, and the ugly.

Even if you’re an experienced Windows 8 developer with a plethora of apps in the store, chances are you haven’t heard of the extended validation option for your account.  And rightly so.  The use case is very specific.  It’s only available if you’re registered as a Company as opposed to an individual developer and only applicable to apps that need access to the documentsLibrary capability.  In fact, at the time of this post, I think I was one of the first to complete the process end-to-end.  It wasn’t a pleasant experience.  Definitely not something I would want when evangelizing Windows Store awesomeness.  I’m hoping this post can help others get through the good, the bad, and the ugly (not necessarily in that order) of the extended validation process.

Extended Validation:  What and why?

According to the Windows Store,

…apps that declare the documentsLibrary capability can only be submitted from developer accounts which can demonstrate they have acquired an Extended Validation (EV) code signing certificate from a certificate authority (CA).

I suppose an EV process makes sense when you read what the documentsLibrary capability does.  Effectively, it provides the app programmatic access to the user’s Documents, filtered by file types declared in the manifest.  The keyword being, “programmatic,” which is different than the standard UI file picker in that no user interface is involved.  This capability is somewhat outside the scope of the WinRT app sandbox which only lets the user decide which files it wants the app to interact with.  With the documentsLibrary capability, the app can interact with any file in the Documents folder as long as the file type is declared in the app’s manifest.

Extended Validation:  How?

Most apps don’t need programmatic access to the user’s Documents folder, but let’s suppose for sake of this blog your app does.  There are several steps to follow:

First, download the signable .xml file.  The link to download the file can be found by logging into your Windows Store account and clicking the “Account” link.  You’ll find the EV section just after the Publisher ID.

image

Second, purchase a code-signing certificate from Symantec or Digicert.  Both certificate authorities provide EV code-signing certificates which will work.  My personal experience is with Digicert but I expect Symantec would work the same.  Effectively, you purchase the certificate, fill out a form, and submit the form to your respective certificate authority.  The CA will then send a thumb drive to your company’s address with some instructions on how to use the drive to install the certificate.  Digicert has an image that describes this process:

So far the process seems pretty easy, right?  Download the .xml file, purchase the certificate, insert the thumb drive, and run the .exe on the thumb drive to sign the file.  If only it was that easy.  If you look on Symantec’s EV page under “Key Features”, take notice of the supported file types,

Digitally sign 32-bit and 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi, .xpi, and .xap files) and kernel-mode software

Okay but where’s .xml?

The Bad

I don’t want to go into a ton of details but traditional code-signing engines don’t sign .xml file types.  They are typically used to sign installers or libraries like the file types above.  In fact, if you tried to sign the .xml file with a typical code-signing tool, you’d get an error…  Not cool.

I spent several hours going back and forth with the Windows Store team and Digicert explaining the problem.  Digicert’s support was completely baffled as to why I would want to sign an .xml file so they weren’t much help.  Microsoft support was better but it required my traversing the org tree to find the team responsible for the EV section of the Store.  Not as easy as you’d think with 90,000+ employees.

The Ugly

Working with Microsoft’s EV team was awesome.  I was able to chat directly with a developer – finally someone with answers – and he was able to write a console program which signs .xml files.  I ran the program, configured the parameters and what do you know?  It worked!  Hurray!  I can now publish my app to the store.

NOTE:  the code signing certificate produced by the CA must be generated using SHA2, not SHA1 and the certificate must exist in the user’s certificate store before running the .exe.

The Good…?

Even though developing a custom C# project to sign .xml files isn’t an ideal solution it’s better than nothing so I’m calling this one “good.”  I’m also calling it good because I’ve received permission from Microsoft and the team who developed the project to host it on CodePlex.  You’re welcome.  Feel free to download the entire project or just the .exe to sign .xml files for as part of your extended validation status.  The tool is available at, https://codesignforxml.codeplex.com/.

Hope it helps,

Justin

Hello World!

It’s finally here!  My official blog.  It’s been on my list of todos for a long, long time and now I finally have some incentive (Micro$oft) to actively write.

I recently changed roles at Microsoft so now I’m a Technical Evangelist for Developer and Platform Evangelism (DPE) in US-West.  Best job ever!  I spend my time working with companies across the region to help them develop apps for Azure, Windows 8, and Windows Phone, which also happen to be my three favorite platforms.  It’s been a fantastic experience so far and I’m happy I made the change.  I’m hoping to use this blog as a means of sharing my experience as a Microsoft Technical Evangelist.

In addition to working at MSFT.  I also spend time developing my own applications.  I’ve got a couple of Win8/WP apps in the store, a very robust Treasury Workstation running on Azure, a Win Form app, and several web sites I’ve built along the way.  Check them out!