We have a Windows UWP app that is currently in the Microsoft store. The project includes a store association file which contains publisher attributes one of which is the Common Name. Our store account shows the CN as a string value resembling a GUID. It shows the Display Name as our company name. In Visual Studio we can build the app for sideloading and code sign with a self-signed certificate in which the certificate’s CN is the same as the Store CN (GUID like string). This allows us to sideload new versions of the app over the store version for testing and getting new features to specific customers quickly. Then the sideloaded version can eventually be updated with newer published store versions.
My question is this: We would like to sign the app with a Code Signing Certificate we purchase from a trusted certificate authority. The problem is trusted code signing certificates must have the Common Name as the company name. We seem to only be able to sign the app with a certificate that has the Common Name equal to the CN in the store association file (GUID like string). Is this a known limitation to store associated apps or are we missing something?
TLDR; Any app published in the MS Store will be signed only with Microsoft's certificates. You cannot use your own certificate to publish an app in the store.
If you use your own certificate to sign the package you need to provide an external link for users to get your app. You can use the AppInstaller protocol for that.
The GUID that you see in the CN (for the certificate generated automatically by VS) is actually a "private key"-like mechanism that MSFT uses to ensure that the app published in the store is actually submitted by its real owner (i.e. I assume to avoid some kind of man in the middle attack where an attacker could somehow upload a corrupted version of your app).
Once your app gets in the store and passes all the validations MSFT will sign it with their own certificate. I suppose this is how the AppInstaller service (or the Store app from Windows 10) will know it is ok to trust any app signed with their certificate.