Clarify Microsoft Store automatic code signing for MSIX packages (#6647)

* Clarify Microsoft Store automatic code signing for MSIX packages

- Added FAQ entry explaining Store auto-signs all submissions
- Updated app-certification-process.md Publishing section to note Microsoft cert
- Expanded app-package-requirements.md with code signing section

Moved from #5825 (originally by copilot-swe-agent).

Co-authored-by: Copilot <[email protected]>

* Address Copilot feedback on store code signing PR

- FAQ: scope 'all apps' to MSIX/AppX; add explicit callout that MSI/EXE
  installers must be Authenticode-signed by the publisher (Store doesn't re-sign)
- FAQ: clarify 'no CA-trusted cert needed' (not 'no signing at all')
- app-package-requirements: ### → #### for code signing section to fix
  heading hierarchy (App bundles was incorrectly nested under it)
- app-package-requirements: reword bullets to clarify the Store replaces
  the MSIX signature — not that no signing exists in the pipeline
- app-package-requirements: add NOTE that MSI/EXE require publisher signing
- app-certification-process: remove trailing space on digitally signed line
- app-certification-process: 'on an average' → 'on average' (consistency)

Co-authored-by: Copilot <[email protected]>

* Address Copilot review feedback on code signing docs

- Broaden 'MSIX packages' to 'MSIX/AppX packages' consistently
  across all three files (Store re-signs both formats)
- Scope 'all packages' to 'all MSIX/AppX packages' in certification
  process to avoid implying MSI/EXE are re-signed (they are not)
- Add comma before 'depending on their location' in two sentences
  for grammatical clarity

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

Author: GrantMeStrength

hub/apps/publish/faq/get-started-with-the-microsoft-store.md

@@ -162,6 +162,27 @@ For general questions, you can also use Microsoft Q&A forums or check the Learn
 
 </details>
 
+---
+
+<details>
+<summary><strong>Does the Microsoft Store provide code signing for my app? Do I need my own code signing certificate?</strong></summary>
+
+Yes, the Microsoft Store provides **automatic code signing** for **MSIX and AppX packages** submitted for Store distribution. You do not need to purchase or provide your own CA-trusted code signing certificate, .pfx file, .cer file, or use a USB token/hardware security module (HSM) to submit MSIX packages to the Microsoft Store.
+
+Here's how it works:
+
+- **For MSIX/AppX Store submissions:** When you submit your MSIX/AppX package to the Microsoft Store, the package does not need to be signed with a CA-trusted certificate. After your app passes certification, the Microsoft Store automatically re-signs your package with a Microsoft certificate during the publishing process, replacing any existing signature. This ensures customers can trust and install your app without security warnings.
+  
+- **What you need:** Only the MSIX/AppX package files (.msix, .msixupload, .msixbundle, .appx, .appxupload, or .appxbundle) are required for submission. No CA-trusted code signing certificate is needed.
+
+- **For MSI or EXE installers:** The Store does **not** re-sign MSI or EXE installers. If you submit an MSI or EXE installer, you must Authenticode-sign it yourself with a valid code signing certificate before submission.
+
+- **For non-Store distribution:** If you plan to distribute your MSIX package outside the Microsoft Store (for example, for enterprise deployment, sideloading, or direct downloads), you will need to sign the package yourself with a valid code signing certificate before distribution. For more information, see [Sign an app package using SignTool](/windows/win32/appxpkg/how-to-sign-a-package-using-signtool).
+
+This automatic re-signing is one of the key benefits of publishing MSIX packages through the Microsoft Store, as it eliminates the need to purchase and manage CA-trusted code signing infrastructure for Store distribution.
+
+</details>
+
 <br>
 
 > [!TIP]

hub/apps/publish/publish-your-app/msix/app-certification-process.md

@@ -8,7 +8,7 @@ ms.localizationpriority: medium
 
 # The app certification process for MSIX app
 
-When you finish creating your app's submission and click **Submit to the Store**, the submission enters the certification step. This process can take up to three business days. After your submission passes certification, on an average, customers will be able to see the app’s listing within 15 minutes depending on their location. You'll be notified when your submission is published, and the app's status in the dashboard will be **In the Store**.
+When you finish creating your app's submission and click **Submit to the Store**, the submission enters the certification step. This process can take up to three business days. After your submission passes certification, on average, customers will be able to see the app’s listing within 15 minutes, depending on their location. You'll be notified when your submission is published, and the app's status in the dashboard will be **In the Store**.
 
 ## Preprocessing
 
@@ -35,9 +35,11 @@ When your app passes certification, it's ready to move to the **Publishing** pro
 
 ## Publishing
 
-Your app's packages are digitally signed to protect them against tampering after they have been released. Once this phase has begun, you can no longer cancel your submission or change its release date.
+Your app's packages are digitally signed by Microsoft to protect them against tampering after they have been released. The Microsoft Store automatically signs all MSIX/AppX packages with a Microsoft certificate, which ensures that customers can trust and install your app without security warnings.
 
-The publishing process take a few minutes and on an average, customers will be able to see the app’s listing within 15 minutes depending on their location.
+You don’t need to provide your own code signing certificate for Store distribution—the Store handles this automatically. Once this phase has begun, you can no longer cancel your submission or change its release date.
+
+The publishing process takes a few minutes and on average, customers will be able to see the app’s listing within 15 minutes, depending on their location.
 
 ## In the Store
 

hub/apps/publish/publish-your-app/msix/app-package-requirements.md

@@ -27,7 +27,20 @@ When you create your package in Visual Studio, make sure you are signed in with
 
 When you build your app's UWP packages, Visual Studio can create an .msix or appx file, or a .msixupload or .appxupload file. For UWP apps, we recommend that you always upload the .msixupload or .appxupload file in the [Packages](./upload-app-packages.md) page. For more info about packaging UWP apps for the Store, see [Package a UWP app with Visual Studio](/windows/msix/package/packaging-uwp-apps).
 
-Your app's packages don't have to be signed with a certificate rooted in a trusted certificate authority.
+#### Code signing for Microsoft Store submissions
+
+Your MSIX and AppX packages don't have to be signed with a certificate rooted in a trusted certificate authority when submitting to the Microsoft Store. The Microsoft Store will automatically re-sign your MSIX/AppX packages with a Microsoft certificate during the publishing process after your app passes certification. This means:
+
+- You don't need to purchase a CA-trusted code signing certificate for MSIX/AppX Store submissions
+- You don't need to provide a .pfx or .cer file from a certificate authority to submit MSIX/AppX packages
+- USB tokens or hardware security modules (HSMs) are not required for MSIX/AppX Store submissions
+- The Store replaces any existing signature on MSIX/AppX packages with a Microsoft certificate, providing trust and security to customers
+
+> [!NOTE]
+> If you are submitting an **MSI or EXE installer** to the Store, the Store does not re-sign those files. You must Authenticode-sign your MSI/EXE installer yourself with a valid code signing certificate before submission.
+
+> [!NOTE]
+> If you are distributing your MSIX package outside the Microsoft Store (for example, for enterprise deployment or sideloading), you will need to sign the package yourself with your own code signing certificate. For more information, see [Sign an app package using SignTool](/windows/win32/appxpkg/how-to-sign-a-package-using-signtool).
 
 #### App bundles