How to Sideload an appx Bundle With Strong Signature Verification
🔍 WiseChecker

How to Sideload an appx Bundle With Strong Signature Verification

by

Quick fix: Sideloading requires Developer Mode enabled in Settings → Privacy & security → For developers, plus the publisher’s code-signing certificate trusted on the device. Import the .cer file into Local Computer → Trusted People, then run Add-AppxPackage -Path C:\app.appxbundle from elevated PowerShell.

You want to install an .appxbundle file you downloaded from a developer’s site (or generated yourself). Just double-clicking it shows an “App Installer” window with a Trust Required error because the signing certificate isn’t in the trusted list. For verified-signature sideloading, the trust step is mandatory — Windows refuses to install unsigned or untrusted packages by default.

Symptom: You need to install an .appxbundle locally without the Microsoft Store, with full signature verification.
Affects: Windows 11 (any edition).
Fix time: 10 minutes for first-time setup; 1 minute per subsequent sideload.

ADVERTISEMENT

What signature verification on sideload checks

When you sideload an .appx or .appxbundle, Windows verifies the package’s digital signature against trusted root certificates installed in the Local Computer certificate store. If the signing certificate chains up to a trusted root, install proceeds. If not, the App Installer shows “Trust required” or “Untrusted publisher.” The fix is to add the signing certificate (or its issuing certificate authority) to the trusted store.

Modern Windows sideloading respects this even with Developer Mode on — Developer Mode allows sideloading, but doesn’t weaken signature verification. The two settings are independent.

Method 1: Enable Developer Mode and import the cert

  1. Open Settings → Privacy & security → For developers.
  2. Toggle Developer Mode on. Confirm the prompt.
  3. Extract the signing certificate from the .appxbundle. Right-click the file → Properties → Digital Signatures tab. Click Details for the signature, then View Certificate, then Copy to File.
  4. Export the certificate. Choose DER encoded binary X.509 (.CER). Save to a memorable location.
  5. Double-click the saved .cer file → Install Certificate.
  6. Choose Local Machine (requires admin). Click Next.
  7. Choose Place all certificates in the following store → Browse → Trusted People. Click OK, Next, Finish.
  8. Now double-click the .appxbundle. The App Installer opens with a green “Trusted App” banner. Click Install.

The certificate is trusted machine-wide. Subsequent .appxbundle installs from the same publisher install without re-importing.

ADVERTISEMENT

Method 2: PowerShell direct sideload

For scripted or repeated deployments:

  1. Open PowerShell as Administrator.
  2. Trust the certificate (if you have the .cer file):

    Import-Certificate -FilePath C:\path\to\cert.cer -CertStoreLocation Cert:\LocalMachine\TrustedPeople
  3. Install the package:

    Add-AppxPackage -Path C:\path\to\app.appxbundle
  4. Verify install:

    Get-AppxPackage -Name *YourApp*

This is non-interactive and ideal for build systems or deployment scripts.

Method 3: Bulk-deploy via Group Policy or Intune

For deploying signed apps to many machines:

  1. Sign in to Intune (endpoint.microsoft.com) → Apps → All apps → Add.
  2. Choose Line-of-business app, upload the .appxbundle, configure assignments.
  3. Intune handles certificate trust and installation across enrolled devices. No manual sideload steps on each PC.
  4. For non-Intune environments, deploy the cert via Group Policy: Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Trusted People → Import. Then use a startup script with Add-AppxPackage.

This is overkill for personal use but the right way for enterprise deployment of internal apps.

How to verify the fix worked

  • Double-click the .appxbundle. App Installer opens with Trusted App in green at the top.
  • After install, the app appears in Start.
  • Run Get-AppxPackage -Name *AppName* | Select-Object Name, SignatureKind — SignatureKind reads Developer or Enterprise, not Untrusted.
  • Open certmgr.msc → Trusted People → Certificates. The signing certificate is in the list.

If none of these work

If sideload still fails with “Trust required” despite cert import, the package may be signed by an intermediate certificate whose root isn’t in Trusted Root Certification Authorities. Import the full certificate chain: when exporting from the package, choose Include all certificates in the certification path, and import to Trusted People AND Trusted Root. For very old or experimental packages signed with deprecated SHA-1 certificates, Windows 11 may refuse regardless of trust — ask the publisher for a re-signed version with SHA-256. For Microsoft Store apps that you want to sideload (rare; intended for testing), get the package from the Store ahead of time using a tool like rg-adguard’s store URL extractor on a Store-enabled PC.

Bottom line: Sideload with signature verification = Developer Mode + certificate in Trusted People + Add-AppxPackage. Once set up, repeated sideloads from the same publisher are one command. Intune and GPO handle the enterprise case.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You