Packages can be signed, but this is not obligatory. If an unsigned package is installed, the user has to confirm that he accepts this package:
You can sign your package with the PackageManagerCLI.
The relevant command line arguments are:
--signPackage="<package file path>" --pkcs12Path="<PKCS#12 file path>" --pkcs12Passwd="<PKCS#12 password>"
This will sign a package file with the certificate and private key from the PKCS#12 file.
Optionally, you can use --tsaTimestampServiceUrl="<url>" to specify a TSA timestamp service to add a timestamp to the signature. If you do not do this, the users of your package will not be able to verify your package, once the certificate expires.
USAGE:
PackageManagerCLI <option> <option> <...> --profile="<profile name>" The version profile to be used for execution of this process. (Mandatory.) --culture="<culture name>" The language to be used for execution of this process, e.g. "de-DE". If not specified, the operation system language is used. (Optional.) --install="<package file path>" Installs the package at the specified file path. (Cannot be used together with --uninstall, --uninstallAll or --create PackageArchive.) --uninstall="<package GUID>;<version>" Uninstalls the package with the specified GUID and version. (Cannot be used together with --install, --uninstallAll or --createPackageArchive.) --uninstallAll Uninstalls all packages. (Cannot be used together with --install, --uninstall or --createPackageArchive.) --components="<component ID>;<component ID>;<...>" Selects the specified component IDs for installation. The other components in the same package will not be installed, unless required by the selected components. You can also specify "typical" or "complete" instead of the ID list. If this option is not specified, "complete" is assumed by default. (Optional, can only be used together with --install.) --targetProfiles="<profile>;<profile>;<...>" Selects the specified target profiles for installation. If this option is not specified, all target profiles are selected by default. (Optional, can only be used together with --install.) --targetDirectories="<ID>=<path>;<ID>=<path>;<...>=<...>" Sets the specified target directories. Each target directory is identified by its target directory ID (an integer value). (Optional, can only be used together with --install.) --createPackageArchive="<package folder path>;<target filename>" Creates a package archive out of a folder. "packae folder path" has to be an existing folder. (Cannot be used together with --install, --uninstall or --uninstallAll.) --signPackage="<package file path>" --pkcs12Path="<PKCS#12 file path>" --pkcs12Passwd="<PKCS#12 password>" Signes a package file with the certificate and private key from the PKCS#12 file. (Optional, can use --tsaTimestampServiceUrl="<url>" to specifiy a TSA timestamp service to add a timestamp to the signature.) --validateSignature="<package file path>" Validate the signature of a package file. --verbose Display detailed progress information on the console.