Forum Discussion

dmondou's avatar
dmondou
Copper Contributor
Nov 19, 2020

Appxmanifest Identity Publisher contains ST=Oregon instead of S=Oregon

I am trying to use the 10.0.19041.0 makeappx.exe using a certificate I can not change.  The issue is that the publisher subject lines contains ST=Oregon instead of S=Oregon and I get the following er...
marcinotorowski's avatar
marcinotorowski
Brass Contributor
Nov 26, 2020

dmondou This seems to be a possible bug in regexp validation of makeappx.exe. According to RFC 4519, ST should be a valid token (https://tools.ietf.org/html/rfc4519#section-2.33

 

Now while this does not help with the original problem, here is a weird thing.

I tried to test it myself, and tried to first create a test code signing certificate using your subject name. Invoking the following two commands:

 

 

$certificate = New-SelfSignedCertificate -Type Custom -KeyUsage DigitalSignature -Subject "C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc" -FriendlyName "AcmeTest" -CertStoreLocation 'Cert:\CurrentUser\my';

(Get-ChildItem -path "Cert:\CurrentUser\my" | ? { $_.Subject.IndexOf("Oregon") -ne -1 }).Subject

 

Seems to output:

C=US, S=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc

 

The same if you use makecert.exe, ST gets somehow replaced with S. No idea why, but seems to partially explain the choice of the regexp used by makeappx.exe.

 

dmondou's avatar
dmondou
Copper Contributor
Dec 04, 2020
Thanks for digging further into this.
  • Tanaka_Jimha's avatar
    Tanaka_Jimha
    Former Employee
    Dec 07, 2020

    Hi dmondou 

     

    Did you confirm that signing fails when you set S=Oregon in the manifest? I chatted with the team and they said the validation uses this CertNameToStr function - CertNameToStrA function (wincrypt.h) - Win32 apps | Microsoft Docs and it says

     

    "The string representation follows the distinguished name specifications in RFC 1779 except for the deviations described in the following list:

    • The X.500 key name for stateOrProvinceName (2.5.4.8) OID is "S". This value is different from the RFC 1779 X.500 key name ("ST"). "

    Unfortunately it looks like ST=Oregon will not work, and you'll need a subject name with S=Oregon.

    • dmondou's avatar
      dmondou
      Copper Contributor
      Dec 09, 2020

      Hi Tanaka_Jimha ,

      Using S=Oregon does work, however our certificate is through Digicert and we discussed with them or issuing a cert with S=Oregon and they won't do it. Any chance of getting ST=Oregon changed in MSIX?

      Thanks,

      David  

      • Tanaka_Jimha's avatar
        Tanaka_Jimha
        Former Employee
        Dec 15, 2020

        Hi dmondou ,

         

        Did signing fail with ST=Oregon?

        I've added this request to our backlog, so that using ST=Oregon would be supported by default. I'm sorry it doesn't work currently and it's causing issues for you.

         

        Thanks,

        Tanaka