MSIX signature validation

2.3 MSIX signature validation

The MyID clients perform signature validation of their components as a form of tamper protection (if a component does not have an expected signature, it is not loaded) – while this provides significant protection, it also adds a small start-up cost and can cause the need for more complex configuration in offline environments that cannot access resources such as public revocation lists over the internet.

When running on Windows 10 2004 or later, MSIX includes tamper protection out-of-the-box, which significantly reduces the attack surface and allows you to relax our own tamper protection safely. MyID clients ship secure by default – this means that Intercede's own tamper protection is performed alongside the MSIX tamper protection unless configured otherwise. To disable the internal signature checks performed by the MyID clients, add a key of DisableComponentVerification and a value of true to your configuration; for example:

Note: If you use the DisableComponentVerification setting with clients installed using MSI, they will present a prominent and persistent warning about insecure configuration. This warning, by design, cannot be dismissed or disabled. MSIX clients will not present a warning since they are protected by the built-in tamper protection.

Note: Package integrity enforcement was introduced in Windows 10 2004. While there is still improved protection compared to MSI (file-system permissions, and so on) prior to this, package integrity enforcement will not be applied and Windows will not prevent tampered apps from running. As such, it is not recommended to use this configuration if you are using a version of Windows older than Windows 10 2004.