Package a Windows app as an MSIX installer for distribution or testing. Use when creating a Windows installer, packaging an Electron/Flutter/.NET/Rust/C++/Tauri app for Windows, building an MSIX, distributing a desktop app, packaging a console app or CLI tool, or adding MSIX packaging to a build script or CI/CD pipeline.
Use this skill when:
Before packaging, you need:
bin/Release/, dist/, build/)appxmanifest.xml — from winapp init or winapp manifest generatedevcert.pfx from winapp cert generate for signing# Package from build output — manifest auto-detected from current dir or input folder
winapp package ./bin/Release
# Specify manifest location explicitly
winapp package ./dist --manifest ./appxmanifest.xml
# Sign with existing certificate
winapp package ./bin/Release --cert ./devcert.pfx
# Custom certificate password
winapp package ./bin/Release --cert ./devcert.pfx --cert-password MyP@ssw0rd
# Auto-generate cert, sign, and package
winapp package ./bin/Release --generate-cert
# Also install the cert to trust it on this machine (requires admin)
winapp package ./bin/Release --generate-cert --install-cert
# Bundle Windows App SDK runtime so users don't need it installed (must have winappsdk reference in the winapp.yaml or *.csproj)
winapp package ./bin/Release --cert ./devcert.pfx --self-contained
# Specify output file
winapp package ./dist --output ./releases/myapp-v1.0.msix --cert ./devcert.pfx
# Custom package name
winapp package ./dist --name "MyApp_1.0.0_x64" --cert ./devcert.pfx
appxmanifest.xml — looks in input folder, then current directory (or uses --manifest)resources.pri — Package Resource Index for UWP-style resource lookup (skip with --skip-pri)makeappx pack — creates the .msix package file--cert provided) — calls signtool with your certificateOutput: a .msix file that can be installed on Windows via double-click or Add-AppxPackage.
# Trust the dev certificate first (one-time, requires admin)
winapp cert install ./devcert.pfx
# Install the MSIX
Add-AppxPackage ./myapp.msix
# Uninstall if needed
Get-AppxPackage *myapp* | Remove-AppxPackage
dotnet build, cmake --build, npm run make, etc.)winapp package <build-output> --cert ./devcert.pfxwinapp cert install ./devcert.pfx (admin).msix or Add-AppxPackage ./myapp.msixFor sparse packages with AllowExternalContent, you may need a code integrity catalog:
# Generate CodeIntegrityExternal.cat for external executables
winapp create-external-catalog "./bin/Release"
# Include subdirectories and specify output path
winapp create-external-catalog "./bin/Release" --recursive --output ./catalog/CodeIntegrityExternal.cat
This hashes executables in the specified directories so Windows trusts them when running with sparse package identity.
Use the microsoft/setup-winapp action to install winapp on GitHub-hosted runners:
- uses: microsoft/setup-winapp@v1
- name: Package
run: winapp package ./dist --cert ${{ secrets.CERT_PATH }} --cert-password ${{ secrets.CERT_PASSWORD }} --quiet
Tips for CI/CD pipelines:
--quiet (or -q) to suppress progress output--if-exists skip with winapp cert generate to avoid regenerating existing certificates--use-defaults (or --no-prompt) with winapp init to avoid interactive promptspackage command aliases to pack — both work identicallyappxmanifest.xml Publisher must match the certificate publisher — use winapp cert generate --manifest to ensure they match--skip-pri if your app doesn't use Windows resource loading (e.g., most Electron/Rust/C++ apps without UWP resources)winapp-frameworks skill--executable flag overrides the entry point in the manifest — useful when your exe name differs from what's in appxmanifest.xml--timestamp when signing with winapp signwinapp-manifest to generate appxmanifest.xmlwinapp-signing for certificate generation and managementwinapp-troubleshoot for a command selection flowchart and error solutions| Error | Cause | Solution |
|---|---|---|
| "appxmanifest.xml not found" | No manifest in input folder or current dir | Run winapp init or winapp manifest generate first |
| "Publisher mismatch" | Cert publisher ≠ manifest publisher | Regenerate cert with winapp cert generate --manifest, or edit manifest |
| "Package installation failed" | Cert not trusted or stale package | Run winapp cert install ./devcert.pfx (admin), then Get-AppxPackage <name> | Remove-AppxPackage |
| "makeappx not found" | Build tools not downloaded | Run winapp update or winapp tool makeappx --help to trigger download |
winapp packageCreate MSIX installer from your built app. Run after building your app. A manifest (appxmanifest.xml or package.appxmanifest) is required for packaging - it must be in current working directory, passed as --manifest or be in the input folder. Use --cert devcert.pfx to sign for testing. Example: winapp package ./dist --manifest appxmanifest.xml --cert ./devcert.pfx
Aliases: pack
| Argument | Required | Description |
|---|---|---|
<input-folder> | Yes | Input folder with package layout |
| Option | Description | Default |
|---|---|---|
--cert | Path to signing certificate (will auto-sign if provided) | (none) |
--cert-password | Certificate password (default: password) | password |
--executable | Path to the executable relative to the input folder. | (none) |
--generate-cert | Generate a new development certificate | (none) |
--install-cert | Install certificate to machine | (none) |
--manifest | Path to AppX manifest file (default: auto-detect from input folder or current directory) | (none) |
--name | Package name (default: from manifest) | (none) |
--output | Output msix file name for the generated package (defaults to <name>.msix) | (none) |
--publisher | Publisher name for certificate generation | (none) |
--self-contained | Bundle Windows App SDK runtime for self-contained deployment | (none) |
--skip-pri | Skip PRI file generation | (none) |
winapp create-external-catalogGenerates a CodeIntegrityExternal.cat catalog file with hashes of executable files from specified directories. Used with the TrustedLaunch flag in MSIX sparse package manifests (AllowExternalContent) to allow execution of external files not included in the package.
| Argument | Required | Description |
|---|---|---|
<input-folder> | Yes | List of input folders with executable files to process (separated by semicolons) |
| Option | Description | Default |
|---|---|---|
--compute-flat-hashes | Include flat hashes when generating the catalog | (none) |
--if-exists | Behavior when output file already exists | Error |
--output | Output catalog file path. If not specified, the default CodeIntegrityExternal.cat name is used. | (none) |
--recursive | Include files from subdirectories | (none) |
--use-page-hashes | Include page hashes when generating the catalog | (none) |