diff --git a/build/windows/store/3_dist-gimp-winsdk.ps1 b/build/windows/store/3_dist-gimp-winsdk.ps1
index ff01ea812c3..0d1786449e6 100644
--- a/build/windows/store/3_dist-gimp-winsdk.ps1
+++ b/build/windows/store/3_dist-gimp-winsdk.ps1
@@ -2,6 +2,7 @@
 
 # Parameters
 param ($revision = '0',
+       $wack = 'Non-WACK',
        $build_dir = '_build',
        $a64_bundle = 'gimp-a64',
        $x64_bundle = 'gimp-x64')
@@ -84,6 +85,13 @@ if ($CI_PIPELINE_SOURCE -ne 'schedule' -and $GIMP_CI_MS_STORE -like 'MSIXUPLOAD_
     $revision = $GIMP_CI_MS_STORE -replace 'MSIXUPLOAD_',''
   }
 
+## (Special case when using WACK locally)
+if ($revision -eq 'WACK')
+  {
+    $revision = "0"
+    $wack = "WACK"
+  }
+
 if ($revision -ne '0')
   {
     $revision_text = ", revision: $revision"
@@ -225,7 +233,7 @@ foreach ($bundle in $supported_archs)
         Get-ChildItem "$vfs" -Recurse -Include ("*.debug", "*.tar") | Remove-Item -Recurse
 
 
-        # 4. MAKE .MSIX AND CORRESPONDING .APPXSYM
+        # 4.A. MAKE .MSIX AND CORRESPONDING .APPXSYM
 
         ## Make .appxsym for each msix_arch (ONLY FOR RELEASES)
         $APPXSYM = "${IDENTITY_NAME}_${CUSTOM_GIMP_VERSION}_$msix_arch.appxsym"
@@ -253,7 +261,7 @@ foreach ($bundle in $supported_archs)
   } #END of 'foreach ($msix_arch...'
 
 
-# 5. MAKE .MSIXBUNDLE AND SUBSEQUENT .MSIXUPLOAD
+# 4.B. MAKE .MSIXBUNDLE AND SUBSEQUENT .MSIXUPLOAD
 if (((Test-Path $a64_bundle) -and (Test-Path $x64_bundle)) -and (Get-ChildItem *.msix -Recurse).Count -gt 1)
   {
     ## Make .msixbundle with all archs
@@ -287,8 +295,62 @@ if (((Test-Path $a64_bundle) -and (Test-Path $x64_bundle)) -and (Get-ChildItem *
     #https://gitlab.gnome.org/GNOME/gimp/-/issues/11397
   }
 
+Remove-Item .gitignore
+Rename-Item .gitignore.bak .gitignore
+
+
+# 5. CERTIFY .MSIX OR .MSIXBUNDLE WITH WACK (OPTIONAL)
+# (Partner Center does the same thing before publishing)
+if (-not $GITLAB_CI -and $wack -eq 'WACK')
+  {
+    ## Prepare file naming
+    ## (appcert CLI does NOT allow relative paths)
+    $fullpath = $PWD
+    ## (appcert CLI does NOT allow more than one dot on xml name)
+    $xml_artifact = "$MSIX_ARTIFACT" -replace '.msix', '-report.xml' -replace 'bundle', ''
+
+    ## Generate detailed report
+    ## (appcert only works with admin rights so let's use sudo, which needs:
+    ## - Windows 24H2 build
+    ## - be configured in normal mode: https://github.com/microsoft/sudo/issues/108
+    ## - run in an admin account: https://github.com/microsoft/sudo/discussions/68)
+    $nt_build = [System.Environment]::OSVersion.Version | Select-Object -ExpandProperty Build
+    if ($nt_build -lt '26052')
+      {
+        Write-Host "(ERROR): Certification from CLI requires 'sudo' (available only for build 10.0.26052.0 and above)" -ForegroundColor Red
+        exit 1
+      }
+    Write-Output "(INFO): certifying $MSIX_ARTIFACT with WACK"
+    if ("$env:Path" -notlike '*App Certification Kit*')
+      {
+        $env:Path = 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit;' + $env:Path
+      }
+    sudo appcert test -appxpackagepath $fullpath\$MSIX_ARTIFACT -reportoutputpath $fullpath\$xml_artifact
 
-# 5. SIGN .MSIX OR .MSIXBUNDLE (FOR TESTING ONLY) AND DO OTHER STUFF
+    ## Output overall result
+    if (Test-Path $xml_artifact -Type Leaf)
+      {
+        $xmlObject = New-Object XML
+        $xmlObject.Load("$xml_artifact")
+        $result = $xmlObject.REPORT.OVERALL_RESULT
+        if ($result -eq 'FAIL')
+          {
+            Write-Host "(ERROR): $MSIX_ARTIFACT not passed. See: $xml_artifact" -ForegroundColor Red
+            exit 1
+          }
+        elseif ($result -eq 'WARNING')
+          {
+            Write-Host "(WARNING): $MSIX_ARTIFACT passed partially. See: $xml_artifact" -ForegroundColor Yellow
+          }
+        #elseif ($result -eq 'PASS')
+          #{
+            # Output nothing
+          #}
+      }
+  }
+
+
+# 6. SIGN .MSIX OR .MSIXBUNDLE (FOR TESTING ONLY)
 if (-not $CI_COMMIT_TAG -and ($GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*') -and ($MSIX_ARTIFACT -notlike "*msixupload"))
  {
   Write-Output "(INFO): signing $MSIX_ARTIFACT (for testing purposes)"
@@ -296,6 +358,7 @@ if (-not $CI_COMMIT_TAG -and ($GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*') -and ($M
   Copy-Item build\windows\store\pseudo-gimp.pfx .\ -Recurse
  }
 
+
 if ($GITLAB_CI)
   {
     # GitLab doesn't support wildcards when using "expose_as" so let's move to a dir
@@ -305,6 +368,8 @@ if ($GITLAB_CI)
       {
         Get-ChildItem pseudo-gimp.pfx | Move-Item -Destination build\windows\store\_Output
       }
+
+    # Generate checksums
     if ($CI_COMMIT_TAG)
       {
         Write-Output "(INFO): generating checksums for $MSIX_ARTIFACT"
@@ -312,6 +377,3 @@ if ($GITLAB_CI)
         Get-FileHash build\windows\store\_Output\$MSIX_ARTIFACT -Algorithm SHA512 | Out-File build\windows\store\_Output\$MSIX_ARTIFACT.SHA512SUMS
       }
   }
-
-Remove-Item .gitignore
-Rename-Item .gitignore.bak .gitignore
diff --git a/build/windows/store/README.md b/build/windows/store/README.md
index 949ea5fe0f8..02817c3da1e 100644
--- a/build/windows/store/README.md
+++ b/build/windows/store/README.md
@@ -20,6 +20,10 @@ Base rule to update the "GIMP (Preview)" entry:
    Only 'Packages' and 'Store listings' sections are needed. On 'Packages' you will
    add the generated .msixupload and on 'Store listings' the brief changelog.
 
+If the .msix* starts to be refused to certification or to signing,
+run `build\windows\store\3_dist-gimp-winsdk.ps1 WACK` locally to see if it
+still complies with the latest Windows policies. Make sure to update WinSDK.
+
 ## Versioning the MSIX
 
 * Every new .msixupload submission (with different content) needs a bumped version.