Windows Store Apps (formerly known as „Metro Apps“) are meant to be distributed over the Windows App Store, but in contrast to Apple, Microsoft does provide a supported way to install such apps without consulting the App Store: sideloading. This feature has been invented for enterprises that do have their own software development team and need to have 100% control over the intellectual property inside the software.
The first drawback of the sideloading feature is that it’s available out of the box only on domain joined computers – this means: you cannot use sideloading on windows versions that cannot join a domain (e.g.: Windows Home). This includes Windows RT, too. There is a product called Sideloading Activation Key available in bundles of 100 keys for about 3000 $US offered to enterprises that want to implement BYOD with WinRT devices like the Microsoft Surface.
The next issue was some more cumbersome: you need to digitally sign the installation package (the APPX-package) with a trusted certificate. This seems an easy one, if and when you can use a company CA. But if you have two different customers that want to use your app and you cannot use their CA to sign your package, you probably don’t want to have them to install your CA certificate as a trusted root CA (this would be a really bad idea from the security perspective).
So you need another commonly trusted CA to sign your Code Signing Certificate – this is where commercial CAs comes into the game.
Commercial CAs do provide a process in which a Code Signing Certificate will be issued after validating your identity. In case of Windows Store Apps distributed via the Microsoft App Store this CA is Microsoft itself – so by uploading your App to the store, it will be digitally signed by Microsoft and everything is fine. If you want to sign for sideloading you need to buy a Code Signing Certificate from a commercial CA – but when you search for Code Signing Certificates, you will only find such for Microsoft Authenticode or Windows Phone … not for Windows 8 Apps.
So because no one seems to guarantee that the certificate will work with Windows Store Apps, I decided to buy one from Thawte – I had already positive experience with them in the past, so I thought that their support personnel will be helpful, when something does not work. And of course: the certificate did not work.
We had some interesting experience with Visual Studio (the error message was that the certificate does not meet “the requirements” – no word about what specific requirement) Microsoft support (don’t want to go into details about that here, just to say that after some tries with the US support, the German support engineer was really helpful), but in the end we spotted the issue: there was an additional “Extended Key Usage (EKU) OID 220.127.116.11.4.1.318.104.22.168” in the Thawte certificate. The support engineer at Thawte simply issued me a Verisign coded signing certificate (Verisign and Thawte are both property of Symantec, so this is not a real issue for them), which does not contain that EKU.
At the moment of this post Thawte is not able to provide a certificate without that EKU, but the Verisign certificate does simply work. I will post an update, when I get the info from Thawte that they will support such kind of certificates. Until then you should stick with Verisign certificates – even when they are much more expensive.