Forum Discussion

pbertolino's avatar
pbertolino
Copper Contributor
Jul 05, 2022
Solved

Code signing works on exe but doesn't on msix

Hi there,
I'm used to code sign our exe (built with Visual Studio and packed with Innosetup) without problem:

signtool.exe sign /n "oursoft" .\oursoft.exe

Done Adding Additional Store
Successfully signed: .\oursoft.exe
or also
signtool.exe sign /tr http://timestamp.comodoca.com /td sha256 /fd sha256 /a .\oursoft.exe
Done Adding Additional Store

 

If instead I produce a MSIX install, with the same commands, it dooesn't work anymore:
signtool.exe sign /n "oursoft" .\oursoft.msix
Error information: "Error: SignerSign() failed." (-2146889723/0x80091005)
or
signtool.exe sign /tr http://timestamp.comodoca.com /td sha256 /fd sha256 /a .\oursoft.msix
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

 

I can't fix that thus I can't put our application on the Microsoft store 😞
Does someone have any idea of what is the origin of this problem?
Thank you for your help,
  Pascal

MSIX
  • pbertolino's avatar
    pbertolino
    Jul 10, 2022
    I finally fixed the problem: it was the publisher name that was incomplete:
    When signing our Innosetup install, "CN=Ourcompany" was sufficient for the signing procedure to be successful.
    While when signing the MSIX intall, it was not. It should have been " CN=Ourcompany, O=Ourcompany, S=Auvergne-Rhône-Alpes, C=FR, OID......."
    I found the right publisher name value thanks to the Windows event viewer application that reported the details of the error.
    The section to check was: Microsoft-Windows-AppxPackagingOM

    I hope this will save time to somebody.

    Pascal

3 Replies

  • pbertolino's avatar
    pbertolino
    Copper Contributor
    Jul 10, 2022
    I finally fixed the problem: it was the publisher name that was incomplete:
    When signing our Innosetup install, "CN=Ourcompany" was sufficient for the signing procedure to be successful.
    While when signing the MSIX intall, it was not. It should have been " CN=Ourcompany, O=Ourcompany, S=Auvergne-Rhône-Alpes, C=FR, OID......."
    I found the right publisher name value thanks to the Windows event viewer application that reported the details of the error.
    The section to check was: Microsoft-Windows-AppxPackagingOM

    I hope this will save time to somebody.

    Pascal
    • MichalKala1991's avatar
      MichalKala1991
      Copper Contributor
      Jul 13, 2022
      Does the publisher on certificate need to match the publisher defined in MSIX package? Or can I sign any MSIX file?
      • Bogdan Mitrache's avatar
        Bogdan Mitrache
        Iron Contributor
        Jul 14, 2022
        Yes, they have to be a match otherwise you can't sign the MSIX package.

        Technically, you can sign any MSIX package, if you change the publisher in the package to match the one from the certificate.

Resources