What is the difference between InstallerSha256 and SignatureSha256?

[G0rocks]

It looks important, I don't know what it is, google didn't really help out and the page (this one) that's supposed to explain it, doesn't.
I'm trying to author a manifest and I did the winget hash <yaml file> and it gave me a different hash number than the last time I did this (a while back, for the same yaml) and I'm not sure if it's an InstallerSha256 or a SignatureSha256.
Thanks.

[ghost]

@denelon

[denelon]

@G0rocks in a Windows Package Manager manifest, the InstallerSha256 is a hash of the binary installer and the SignatureSha256 is a hash of the signature used to sign MSIX packages.

[G0rocks]

Okay, thanks. How do you find out these hash numbers when authoring a manifest? Using winget hash <yaml> just gives you a number, nothing about which one it is.
Thanks!

[denelon]

You can get help on specific Windows Package Manager commands by passing -? after the command.

Execute winget hash -m <installer.msix> or winget hash --msix <installer.msix> to see the SignatureSha256.

We are just about to release a new tool that will greatly simplify creating manifests. I'll pin an issue and update the various readme files when we do. I'll also tweet the announcement (@DenelonMs on Twitter).

[G0rocks]

Ok cool, thanks.

[denelon]

#938