MSI or MSIX — which should I use for my Rust app?

MSIX is the modern choice with clean deployment, easy updates and good isolation. MSI remains common for classic desktop apps and environments that require traditional installers.

Do I need an EV certificate to avoid SmartScreen?

EV code-signing certificates build SmartScreen reputation faster and reduce warnings significantly. OV certificates can work but may require building reputation over time.

Should I timestamp my signatures?

Yes. Always timestamp signatures so they remain valid after the certificate expires.

Can I ship a portable zip instead of an installer?

Yes, but signed installers (MSI/MSIX) provide a better installation experience and fewer warnings for end users.

Package & Sign Rust Apps — MSI, MSIX, Code Signing

Package your Windows app as MSI or MSIX and sign binaries to reduce SmartScreen friction. Follow a release checklist to ship confidently.

Open Quickstart Troubleshoot

File: rustup-init.exe • Source: rust-lang.org • Last updated: —

Installer options

MSI (WiX, NSIS, Inno)

Traditional installers with broad enterprise support. Good for services and complex setups. Sign the MSI and included binaries.

MSIX (Windows App SDK)

Modern, reliable deployments, clean upgrades and sandboxing. Great for desktop apps with WinUI and store distribution.

Portable zip

Simple distribution for power users and devs. Sign the EXE and include a README. Expect more warnings vs. signed installers.

Updates

MSIX supports differential updates. For MSI, implement your own updater or use a 3rd‑party solution.

Code signing 101

Cert choice: EV builds SmartScreen reputation faster; OV works but takes time.
Timestamp: Use RFC3161 timestamp servers so signatures remain valid after certificate expiry.
Sign everything: Sign .exe, .dll and the MSI/MSIX package.
Verify: Use signtool or Get-AuthenticodeSignature in PowerShell to validate.

SmartScreen reputation tips

Prefer EV certificates for new products to reduce warning rates.
Keep downloads hosted at reputable domains and use HTTPS.
Maintain versioned releases and avoid frequent re-signs without changes.

Release checklist

Release build on Windows (MSVC).
Sign binaries and installer with timestamp.
Run installs/upgrades/uninstalls on a clean VM.
Verify SmartScreen and AV behavior.
Publish hashes and a signed changelog.

Having issues? Head to Troubleshooting.