Summary
The binaries shipped in the msixmgr ZIP (https://aka.ms/msixmgr) contain a mix of unsigned and test-signed files. This makes it impossible to verify their authenticity before deployment in environments where Authenticode verification of all toolchain binaries is mandatory (DoD, NATO, financial, healthcare, etc.).
Affected binaries (latest ZIP as of 2026-05-20)
| File |
Signature status |
Signer |
msixmgr.exe |
Not signed |
— |
msix.dll |
Not signed |
— |
ApplyACLs.dll |
Signed, not trusted |
CN=Microsoft Testing PCA 2010 |
CreateCIM.dll |
Signed, not trusted |
CN=Microsoft Testing PCA 2010 |
WVDUtilities.dll |
Signed, not trusted |
CN=Microsoft Testing PCA 2010 |
Microsoft Testing PCA 2010 is a test/internal CA whose root is not present in the Windows trusted-root store on end-user or server machines.
Impact
Any security-conscious automation layer that calls Get-AuthenticodeSignature and checks the result before executing a downloaded binary will fail (Status ≠ Valid, or signer subject not in a Microsoft production-CA allowlist). Concretely:
-
Our open-source MSIX PowerShell module runs Get-AuthenticodeSignature on every downloaded binary and checks the leaf-signer subject against a trusted-publisher allowlist (CN=Microsoft Corporation,, CN=Microsoft Windows,, etc.) before use. Install-MsixMgr currently fails at the Authenticode verification step with:
Authenticode verification FAILED for msixmgr/msixmgr.exe
Status: NotSigned
or, for the test-signed DLLs:
Authenticode verification FAILED for msixmgr/ApplyACLs.dll
Signer is NOT in the trusted-publisher allowlist:
Subject: CN=Microsoft Testing PCA 2010, O=Microsoft Corporation, ...
-
Windows Defender Application Control (WDAC) / AppLocker policies that require Microsoft as the Authenticode publisher will block these files on managed endpoints.
Expected behaviour
All binaries in the msixmgr distribution ZIP should be signed with a production Microsoft Authenticode certificate (the same CA chain used by signtool.exe, MakeAppx.exe, msixmgrSetup.exe, etc.) so that Get-AuthenticodeSignature returns Status = Valid with a subject matching CN=Microsoft Corporation, or equivalent production signer.
Suggested fix
- Add all
.exe and .dll files in the msixmgr build pipeline to the production code-signing step.
- Replace any internal test-signing step for
ApplyACLs.dll, CreateCIM.dll, and WVDUtilities.dll with the same production signing used for the outer msixmgrSetup.exe.
Workaround (temporary)
Until this is fixed, consumers who need the binaries can either:
- Add
CN=Microsoft Testing PCA 2010 to their local allowlist (not acceptable in high-assurance environments).
- Skip Authenticode verification for msixmgr specifically (weakens the security posture of the toolchain).
We have filed this so we can track it and remove the workaround once production-signed binaries are available. A reference to this issue will be added to the module's Install-MsixMgr warning output.
References
Summary
The binaries shipped in the msixmgr ZIP (
https://aka.ms/msixmgr) contain a mix of unsigned and test-signed files. This makes it impossible to verify their authenticity before deployment in environments where Authenticode verification of all toolchain binaries is mandatory (DoD, NATO, financial, healthcare, etc.).Affected binaries (latest ZIP as of 2026-05-20)
msixmgr.exemsix.dllApplyACLs.dllCN=Microsoft Testing PCA 2010CreateCIM.dllCN=Microsoft Testing PCA 2010WVDUtilities.dllCN=Microsoft Testing PCA 2010Microsoft Testing PCA 2010is a test/internal CA whose root is not present in the Windows trusted-root store on end-user or server machines.Impact
Any security-conscious automation layer that calls
Get-AuthenticodeSignatureand checks the result before executing a downloaded binary will fail (Status ≠Valid, or signer subject not in a Microsoft production-CA allowlist). Concretely:Our open-source MSIX PowerShell module runs
Get-AuthenticodeSignatureon every downloaded binary and checks the leaf-signer subject against a trusted-publisher allowlist (CN=Microsoft Corporation,,CN=Microsoft Windows,, etc.) before use.Install-MsixMgrcurrently fails at the Authenticode verification step with:or, for the test-signed DLLs:
Windows Defender Application Control (WDAC) / AppLocker policies that require
Microsoftas the Authenticode publisher will block these files on managed endpoints.Expected behaviour
All binaries in the msixmgr distribution ZIP should be signed with a production Microsoft Authenticode certificate (the same CA chain used by
signtool.exe,MakeAppx.exe,msixmgrSetup.exe, etc.) so thatGet-AuthenticodeSignaturereturnsStatus = Validwith a subject matchingCN=Microsoft Corporation,or equivalent production signer.Suggested fix
.exeand.dllfiles in the msixmgr build pipeline to the production code-signing step.ApplyACLs.dll,CreateCIM.dll, andWVDUtilities.dllwith the same production signing used for the outermsixmgrSetup.exe.Workaround (temporary)
Until this is fixed, consumers who need the binaries can either:
CN=Microsoft Testing PCA 2010to their local allowlist (not acceptable in high-assurance environments).We have filed this so we can track it and remove the workaround once production-signed binaries are available. A reference to this issue will be added to the module's
Install-MsixMgrwarning output.References
https://aka.ms/msixmgr