MicrosoftDocs
diff --git a/‎hub/apps/package-and-deploy/choose-distribution-path.md‎
Lines changed: 32 additions & 1 deletion b/‎hub/apps/package-and-deploy/choose-distribution-path.md‎
Lines changed: 32 additions & 1 deletion
diff --git a/‎hub/apps/package-and-deploy/code-signing-options.md‎
Lines changed: 98 additions & 0 deletions b/‎hub/apps/package-and-deploy/code-signing-options.md‎
Lines changed: 98 additions & 0 deletions
@@ -119,7 +119,38 @@ If you have an existing app with its own installer (WiX, NSIS, InstallShield) an
 
 ## What about other installer formats?
 
-Many Windows apps are distributed using MSI, WiX, Inno Setup, ClickOnce, or similar technologies. These are established and supported options, especially for existing apps. However, they may not provide MSIX's package identity, clean uninstall model, or Store eligibility.
+Many Windows apps are distributed using ClickOnce, MSI, WiX, Inno Setup, or similar technologies. These are established and supported options, especially for apps that can't use MSIX or don't need Store distribution. The table below summarizes the common options and their trade-offs.
+
+| Method | Auto-update | Code signing required | Store eligible | Best for |
+|---|---|---|---|---|
+| **MSIX via Store** | ✅ Built-in | ✅ Free (Store signs) | ✅ Yes | Most apps — recommended starting point |
+| **MSIX + .appinstaller** | ✅ Built-in | 💲 CA-trusted cert | ❌ No | ISVs distributing directly from a website |
+| **ClickOnce** | ✅ Built-in | 💲 Cert recommended | ❌ No | WPF/WinForms apps; not supported for WinUI 3 |
+| **MSI / WiX / Inno Setup** | ⚠️ Manual or custom | 💲 Cert recommended | ❌ No | Apps with complex install requirements or existing installer |
+| **Self-contained EXE (xcopy/zip)** | ❌ None | 💲 Cert recommended | ❌ No | Simple utilities; developer/power-user audiences |
+| **winget manifest** | ✅ Via winget | 💲 Cert recommended | ❌ No | Any of the above — adds discoverability via `winget install` |
+
+### ClickOnce
+
+ClickOnce is a .NET deployment technology built into Visual Studio. It hosts a manifest on a web server or file share; users install from the manifest URL and ClickOnce handles update checks at launch. It's a good fit for WPF and WinForms apps distributed to a known user base.
+
+ClickOnce is **not supported for WinUI 3 apps**. Use MSIX with `.appinstaller` for WinUI 3 direct distribution.
+
+→ [ClickOnce security and deployment](/visualstudio/deployment/clickonce-security-and-deployment)
+
+### MSI, WiX, Inno Setup, and NSIS
+
+Traditional EXE and MSI installers remain common for Windows apps with complex installation requirements (driver installation, system services, registry configuration). Tools like [WiX Toolset](https://wixtoolset.org/), [Inno Setup](https://jrsoftware.org/isinfo.php), and [NSIS](https://nsis.sourceforge.io/) are community-maintained and widely used. Update support requires your own implementation.
+
+These formats are not Store-eligible as primary distribution packages. However, you can combine them with [packaging with external location](../desktop/modernize/grant-identity-to-nonpackaged-apps-overview.md) if you need package identity for specific Windows features.
+
+### Self-contained EXE (xcopy deployment)
+
+`dotnet publish --self-contained` produces a folder of files (or a single-file EXE) that users can run without installing .NET. This is the simplest distribution model but requires users to download a new version manually. It suits command-line tools, developer utilities, and power-user apps.
+
+### winget — adding discoverability to any distribution path
+
+Regardless of your packaging format, you can submit a manifest to the [Windows Package Manager Community Repository](https://github.com/microsoft/winget-pkgs) to make your app installable via `winget install <your-app>`. This doesn't replace your existing distribution method — it adds a command-line installation path valued by developer and technical audiences.
 
 ## Related content
 
 
@@ -0,0 +1,98 @@
+---
+title: Code signing options for Windows app developers
+description: Compare code signing options for distributing Windows apps outside the Microsoft Store — including Azure Artifact Signing, OV/EV certificates, and when no signing is needed.
+ms.topic: concept-article
+ms.date: 04/17/2026
+ms.localizationpriority: medium
+---
+
+# Code signing options for Windows app developers
+
+If you publish your app through the Microsoft Store, code signing is free and handled for you automatically — you don't need to purchase or manage a certificate. Everything in this article applies to apps distributed **outside the Microsoft Store**.
+
+## Comparison at a glance
+
+| Option | Cost | Availability | SmartScreen behavior | Store eligible | Best for |
+|---|---|---|---|---|---|
+| **Microsoft Store** (signs for you) | Free | Worldwide | ✅ No warnings | ✅ Yes | Recommended for most developers |
+| **Azure Artifact Signing** (formerly Trusted Signing) | ~$9.99/month | Organizations: USA, Canada, EU, UK. Individuals: USA and Canada only | ⚠️ Reputation builds over time; initial warnings expected | ❌ No | Recommended for non-Store distribution |
+| **OV certificate** (from a CA such as DigiCert, Sectigo) | $150–300/year | Worldwide | ⚠️ Same as Azure Artifact Signing — reputation builds over time | ❌ No | Developers who can't use Azure Artifact Signing, or who prefer traditional CAs |
+| **EV certificate** | $400+/year | Worldwide | ⚠️ Same as OV since 2024 — no longer instant bypass | ❌ No | No longer recommended specifically for SmartScreen bypass |
+| **Self-signed certificate** | Free | — | ❌ Blocks installation for public users | ❌ No | Dev/testing only, or enterprise with managed certificate trust |
+| **No signature** | Free | — | ❌ Strong SmartScreen block; enterprises may block entirely | ❌ No | Not recommended for public distribution |
+
+## Microsoft Store — no signing needed
+
+Publishing through the Microsoft Store is the recommended distribution path for most Windows apps. Microsoft re-signs your package automatically, meaning users never see a SmartScreen warning and you never need to purchase or renew a certificate.
+
+A one-time $19 developer account fee gives you access to [Partner Center](https://partner.microsoft.com/dashboard), where you submit your app and manage its listing.
+
+→ [Publish your app to the Microsoft Store](/windows/apps/publish/publish-your-app/msix/create-app-submission)
+
+## Azure Artifact Signing (formerly Trusted Signing) — recommended for non-Store distribution
+
+[Azure Artifact Signing (formerly Trusted Signing)](/azure/trusted-signing/) is Microsoft's recommended code signing service for developers who distribute apps outside the Store.
+
+**Key details:**
+
+- **Cost:** Approximately $9.99/month — significantly less than a traditional OV or EV certificate
+- **Identity validation:** Microsoft validates your organization or individual identity before issuing certificates; plan for a few business days for verification
+- **No hardware token required:** Signing integrates directly with CI/CD pipelines (GitHub Actions, Azure DevOps, and others) — you don't need a physical USB token
+- **SmartScreen behavior:** The same reputation-building model as OV certificates — new files will show a SmartScreen warning until they accumulate sufficient download history. Azure Artifact Signing does **not** provide instant SmartScreen trust.
+
+> [!IMPORTANT]
+> **Geographic limitation:** Azure Artifact Signing is available to organizations in the USA, Canada, the European Union, and the United Kingdom. Individual developers are currently limited to the USA and Canada. If you are an individual developer outside those regions, see [OV certificates](#ov-certificates--traditional-ca-option) below.
+
+→ [Azure Artifact Signing documentation](/azure/trusted-signing/)  
+→ [Sign an MSIX package using SignTool](/windows/msix/package/sign-app-package-using-signtool)
+
+## OV certificates — traditional CA option
+
+Organization Validated (OV) certificates from a Certificate Authority (CA) such as DigiCert, Sectigo, or GlobalSign are a well-established option for code signing. They are the right choice when:
+
+- You are located outside the USA, Canada, the EU, or the UK (organizations); or outside the USA or Canada (individual developers) and cannot use Azure Artifact Signing
+- Your organization already has a relationship with a specific CA
+- Your enterprise customers require a certificate from a particular CA
+
+**Key details:**
+
+- **Cost:** Typically $150–300/year depending on the CA and certificate tier
+- **Identity validation:** The CA validates your organization's legal identity before issuing the certificate; allow several business days
+- **HSM requirement:** As of June 2023, the CA/Browser Forum requires private keys for OV certificates to be stored on a hardware security module (HSM) or hardware token. Most CAs provide a compatible USB token or cloud HSM option.
+- **SmartScreen behavior:** Equivalent to Azure Artifact Signing — reputation accumulates per file hash over time. Expect SmartScreen prompts for new files.
+
+OV certificates are a proven option and are functionally equivalent to Azure Artifact Signing for SmartScreen purposes. If you are in the US or Canada (or an organization in the EU or UK), Azure Artifact Signing is typically more cost-effective and integrates more smoothly with automated build pipelines.
+
+## EV certificates — no longer recommended for SmartScreen
+
+Extended Validation (EV) certificates previously bypassed SmartScreen entirely on first download, making them the go-to choice for new apps with no reputation. **That behavior was removed in 2024.** EV-signed files now go through the same reputation-building process as OV certificates.
+
+**What this means:**
+
+- If you already have an EV certificate, it is still valid and functional for signing — keep using it until it expires
+- EV certificates still require more rigorous identity validation, which may matter for enterprise procurement or other trust contexts
+- Paying the EV premium ($400+/year) solely to avoid SmartScreen warnings is **no longer justified** — you will still see the same warnings as with an OV certificate
+
+→ [SmartScreen reputation for developers](smartscreen-reputation.md) for full details on how reputation builds and what users see
+
+## Self-signed certificates — dev and testing only
+
+A self-signed certificate is not trusted by Windows by default and will trigger a strong SmartScreen block for any user who hasn't manually installed the certificate as a trusted root. This makes self-signed certificates unsuitable for public distribution.
+
+**Appropriate uses:**
+
+- **Local development and testing** — you control the machine and can install the certificate manually
+- **Enterprise internal distribution** — your IT department can deploy the certificate as a trusted root via Intune or Group Policy, allowing managed devices to install the app silently
+
+→ [Sign an MSIX package using SignTool](/windows/msix/package/sign-app-package-using-signtool)
+
+## Open source: SignPath Foundation
+
+If your project is open source, [SignPath Foundation](https://signpath.io) offers free code signing for qualifying open-source projects. The program provides OV-level certificate signing through a managed pipeline. Check the SignPath Foundation website for eligibility requirements and the application process.
+
+## Related content
+
+- [SmartScreen reputation for developers](smartscreen-reputation.md)
+- [Choose a distribution path for your Windows app](choose-distribution-path.md)
+- [Sign an MSIX package using SignTool](/windows/msix/package/sign-app-package-using-signtool)
+- [Azure Artifact Signing (formerly Trusted Signing) documentation](/azure/trusted-signing/)