Distributing Windows Phone apps to testers has always been a pain. The Private Beta in the Windows Store intended for this is not very flexible and it got much worse with Windows 10 (generating promotional code that can take up to 24 hours).
One of the better ways to solve the beta build distribution is using a service like Hockey App, that Microsoft recently acquired. To be able to use Hockey App (or any other service) you need to buy a $299 certificate from Symantec.
You then use the certificate to sign the XAP or APPX files of your app. Those signed binaries can be than installed on devices with the correct application enrollment token directly from Hockey App, bypassing the Windows Store.
One of my clients got persuaded to try this approach after some problem with the Windows Store Private Beta and bough the certificate. It took a week for the purchase to go through and another week to finally get the certificate in the correct PFX format from Symantec.
Adding password to the PFX certificate
The PFX certificate file I got had an empty password. This is quite a problem for all the Microsoft tools that work with certificates, especially for XapSignTool. I could not make the tools work with an empty password so I had to change the password first. This is done quite easily using using OpenSSL.
openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes
openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem
Generating application enrollment token
To allow the devices to install the signed XAP (or APPX) you need to generate an application enrollment token that will be installed on the devices. The process is quite simple, just call
%ProgramFiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\AETGenerator\AETGenerator.exe PFXFile Password
as a result you will get three files: AET.aet, AET.aetx, AET.xml. Get the AET.aetx file and upload it to Hockey App by clicking Add version and drag and dropping the file to the upload dialog. The company profile for your app in Hockey App will get updated using this file. This is done only once.
Signing the binary
Each time you submit a new build to Hockey App, you need to sign the binary (XAP in my case) with the certificate. The signing process differs for XAP and APPX files.
For XAP files it is just calling the right PowerShell script with the correct parameters
powershell.exe -File "%ProgramFiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\MDILXAPCompile\BuildMDILXap.ps1" -xapfilename "your.xap" –pfxfilename "cert.pfx" -password yourpassword
and the result is .. an error
Signtool Error: This file format cannot be signed because it is not recognized. So I had to do some research. I found a developer describing the same problem on StackOverflow. The solution was to install Silverlight 5.1.30514.0. This was really strange, it is a Silverlight runtime not an SDK and it does not get installed with Visual Studio or the Windows Phone SDK.
Distributing the app
Once you upload a signed binary to Hockey App, your testers can download it using a web browser to their devices. Each device needs to install the company profile (the application enrollment token) once, and then can install the builds you provide.
Installation of the Windows Phone app builds is a bit strange, no install progress or success messages, the app just appears in the list ofter one or two minutes. But it works, and it is much faster and more flexible than the Private Beta provides by the Windows Store.