Forum Discussion
MSIX package signing issue with certificate installed in a certificate store
Thanks TIMOTHY_MANGAN appreciate your input
Subject Name matched with Manifest file CN name verified it. Just to reassure I exported the certificate installed by our team in the store as a .cer file and imported it during the MSIX pacakging process. Which do not sign the package but automatically generates the correct publisher information.
Also I tried using the Digicert Utility tool to sign the package(GUI method) and getting below error. Is this a generic error message or specific to my scenario not sure.
One thing I noticed is it does not have .MSIX file in the drop down selection of file type we are signing shown in below. Does this mean our code signing certificate is not supporting MSIX file type? after all the error message we got while using the signtool was "The file format cannot be signed because it is not recognized"
Thank you guys for your valuable suggestions, appreciate your time on this.
- So I ended up calling the DigiCert support and asked the first question whether they support signing MSIX packages and do they have any document which confirms that. Unfortunately they don't have any document which states all the file formats they support code signing
- Then I ran the Signtool in debug mode as TIMOTHY_MANGAN suggested in here https://techcommunity.microsoft.com/t5/msix-packaging-and-tools/msix-packageing-tool-signtool-certificate-issues/m-p/224217 and ended up finding another article related to error I was getting.
- As per this thread https://www.advancedinstaller.com/forums/viewtopic.php?t=36104 I uninstalled the Windows 10 SDK i had in the machine and re-installed the latest version of Windows 10 SDK, version 2004 (10.0.19041.0) from here https://developer.microsoft.com/en-us/windows/downloads/sdk-archive/
- Then as TIMOTHY_MANGAN suggested above started signing a simple MSI file just to verify nothing wrong with the Certificate and it worked good. Later I signed a custom .EXE we developed and signing went good. So I confirmed nothing wrong with the certificate I am using.
- Finally I signed the MSIX pacakge I created using this command and it worked without any issues.
1) Change the Path to Signtool Location below
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x642) Sign the Package using this command
.\signtool.exe sign /v /sm /s My /n "ABC Corporation" /fd SHA256 /t http://timestamp.digicert.com "<FileLocation>\File.msix"
It was so frustrating to fight with AD team on getting the .PFX file with Password. I understand their security concerns but without that we are pretty much helpless. John Vintzel ShakersMSFT Any better explanation I can come up with, if our AD team ask why exactly we need .PFX file instead of installing the certificate in cert store and using that? OR if you could develop a Signtool GUI utility that would be wonderful
- Vanbogie1200Apr 08, 2021Copper ContributorI was having the same issue and the note about using the sign tool from the windows kits folder worked. I'm guessing it is using the manifest and\or some dlls in that directory and that's why it can handle the msix format.
Anyway, Thanks!