Difference between package signing and code signing

Question

Using VS2013 and Windows 8.1

I have a .cer and .pfx file bought from Verisign. I am new to store apps. I have couple of questions

1. What is the difference between signing the package and code signing (done using the VS 2013 packaging tab of Package.appxmanifest) - my understanding so far (a) I guess this is similar to using signtool.exe tool right? (b) both will install the public key(.cer) to certificate store(mmc) and sign the appx with private key(.pfx) so i would need to manually install .cer file in the live machines inorder to install my app? (c) Code is signing is done in order to ensure the code has not been tampered with but do we need to do this for all main store app and other components used part of dfferent project (.dll)

2. Do we need both package and code signing inorder to publish store apps on client machine?

3. I can't use the same .pfx used for package signing for code signing because of some chaining information. Is this how it is supposed to used different .pfx for both is this a normal way?

Answer 1

For the regular Windows Store apps:

1. You don't need to sign windows store apps manually.

2. No. Windows Store will sign the package automatically.

3. Code signing is for Windows Classic apps or drivers and not for Windows Store apps.

For the sideloaded apps:

Windows store enterprise apps can be signed by any certification authority that is trusted on your PCs (where the app will be installed). It's better to sign with visual studio. There is documantation for an exact procedure. If you will sign with Verisign certificate, you don't need to install anything except the app, because verisign root is already trusted in Windows. Visual studio signs only application package.