Forum Discussion

dmondou's avatar
dmondou
Copper Contributor
Nov 19, 2020

Appxmanifest Identity Publisher contains ST=Oregon instead of S=Oregon

I am trying to use the 10.0.19041.0 makeappx.exe using a certificate I can not change.  The issue is that the publisher subject lines contains ST=Oregon instead of S=Oregon and I get the following er...
Tanaka_Jimha's avatar
Tanaka_Jimha
Former Employee
Nov 24, 2020

Hi dmondou 

 

Can you try passing in the /nv flag to MakeAppx when packaging. This should skip semantic validation. You'll have to verify that your package installs successfully after it's created.

 

Cheers,

Tanaka

 

 

dmondou's avatar
dmondou
Copper Contributor
Nov 25, 2020

Hello Tanaka_Jimha ,

With the /nv flag it does try to package up the files but then throws the following error:


MakeAppx : error: Error info: error C00CE169: App manifest validation error: The app manifest must be valid as per schema: Line 6, Column 45, Reason: 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'.
The attribute 'Publisher' with value 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' failed to parse.

 

Without the /nv flag it doesn't try to package anything it just throws the error right away.

Thanks,
David

  • dmondou's avatar
    dmondou
    Copper Contributor
    Dec 04, 2020

    Hello @Tanaka_Jimha,

    Is there an update on this issue? as it is a blocker for us in trying to deploy our app.

     

    Thanks,

     

    David

  • marcinotorowski's avatar
    marcinotorowski
    Brass Contributor
    Nov 26, 2020

    dmondou This seems to be a possible bug in regexp validation of makeappx.exe. According to RFC 4519, ST should be a valid token (https://tools.ietf.org/html/rfc4519#section-2.33

     

    Now while this does not help with the original problem, here is a weird thing.

    I tried to test it myself, and tried to first create a test code signing certificate using your subject name. Invoking the following two commands:

     

     

    $certificate = New-SelfSignedCertificate -Type Custom -KeyUsage DigitalSignature -Subject "C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc" -FriendlyName "AcmeTest" -CertStoreLocation 'Cert:\CurrentUser\my';

(Get-ChildItem -path "Cert:\CurrentUser\my" | ? { $_.Subject.IndexOf("Oregon") -ne -1 }).Subject

     

    Seems to output:

    C=US, S=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc

     

    The same if you use makecert.exe, ST gets somehow replaced with S. No idea why, but seems to partially explain the choice of the regexp used by makeappx.exe.

     

    • dmondou's avatar
      dmondou
      Copper Contributor
      Dec 04, 2020
      Thanks for digging further into this.
      • Tanaka_Jimha's avatar
        Tanaka_Jimha
        Former Employee
        Dec 08, 2020

        Hi dmondou 

         

        Did you confirm that signing fails when you set S=Oregon in the manifest? I chatted with the team and they said the validation uses this CertNameToStr function - CertNameToStrA function (wincrypt.h) - Win32 apps | Microsoft Docs and it says

         

        "The string representation follows the distinguished name specifications in RFC 1779 except for the deviations described in the following list:

        • The X.500 key name for stateOrProvinceName (2.5.4.8) OID is "S". This value is different from the RFC 1779 X.500 key name ("ST"). "

        Unfortunately it looks like ST=Oregon will not work, and you'll need a subject name with S=Oregon.

Resources