I am posting this answer as I could not find anywhere that listed in detail exactly how to code-sign a legacy MSI installer using a 3rd party Code Signing certificate so that it is accepted by the Microsoft Store. All the examples I found online seemed to relate to using Visual Studio which is not the same. As an individual developer, maintaining my free VB6 application as a hobby, I could not cope with the expense or complexity of many of the methods I found documented. The solution below cost me approx $85 for hardware and $150 for a certificate valid for one year.
This Information was correct in March 2024.
What do you need to purchase? You need a Code Signing Certificate. There are 3 types. Individual Validation (IV), Organisation Validation (OV) and Extended Validation (EV). If you are an individual the first one is your only option. An EV is NOT required, it is more expensive and should NOT be issued to an individual.
Where do you purchase it? You need to choose a Certificate Authority (CA) that is part of the Microsoft Trusted Root Program. Search for - Microsoft Manage Code Signing Certificates - choose the page at learn.microsoft.com for the current details about Code Signing Certificates which lists a number of companies. The cost seemed to vary greatly - so check out a few.
How is the certificate supplied? I found I needed to purchase (or already have) a USB Card Reader and a valid SIM to securely store the certificate. I purchased mine directly from my chosen CA. You also need to purchase a IV or OV Code Signing certificate. To obtain this you will need to be positively identified. I was able to do this online using my photo driving license and the video camera on my computer. I followed the instructions of the CA to securely download the signing certificate onto the USB card reader. I was prompted to create my own unique PIN to protect this hardware/software token.
What software is required to code sign files? You need signtool.exe which is issued by Microsoft as part of the Windows SDK. You only need to install the part of the SDK for code signing.
How do you sign a file? You need to be on a Windows 10 (or later) PC with signtool.exe and, in my case, I needed the USB card reader plugged in. You run, from the command line or batch file, signtool.exe. I found it connected to the card reader, which then prompted me for my PIN number before allowing the files to be signed with my certificate.
Which files need to be signed? EVERY executable file (.exe, .dll, .ocx, etc) must be individually signed with your certificate. This INCLUDES Microsoft dll or ocx files you distribute in the MSI (some older Microsoft files are signed with the MD5 algorithm which is not sufficient).
What options are required? You must both sign and timestamp each executable file using the SHA256 algorithm. You can sign multiple files using one command.
What are the parameters for signtool.exe? You can find these documented in full at Microsoft but the format I used was:
signtool.exe sign /n “Your Certificate Name” /t http://your.time.server/ /fd sha256 folder1/filenames folder2/filenames myapp.exe
What do these parameters mean? /n is the full name on the certificate /t timestamps the signing using the time server (check your CA documentation for this) /fd sha256 uses the required algorithm. This is followed by one or more filenames separated by spaces. You can use wildcards or explicit names. I found that if you use a wildcard, signtool seemed to skip files that should not be signed.
What do you do next? Now you need to build the MSI installer using your existing software including the files you have just signed. IMPORTANT - Once the MSI file is built, you must now code sign the finished MSI file as well, in the same way as above.
Is that it? Yes and No - once you have done all this, the MSI installer file can be uploaded and should pass initial Package Validation by the Microsoft Store. However I found that even though it passed Package Validation, when I submitted it for Application Review it was rejected due to a Smartscreen Warning. You need to download the MSI installer from your website using MICROSOFT EDGE and, if you get the Smartscreen warning, click on the 3 dots top right to report that, as website owner, you consider the file to be safe. 24 hours after this, try downloading again and, if you get no Smartscreen warning, you can now send the Application to the Microsoft Store for Review. I had to go through this process MULTIPLE TIMES, as it was still rejected due to Smartscreen, but eventually it worked.
This entire process took me 2 months, so be patient....