Forum Discussion

TIMOTHY_MANGAN's avatar
TIMOTHY_MANGAN
MVP
Aug 03, 2018

MSIX Packageing Tool / signtool certificate issues

1) I have a valid (paid for) code signing certificate from a well known CA that has a password so I can't use the in tool signing (which is something you should support!).

 

The 17134 SDK is present.  So I pulled the command out of the log file and modified as follows (but with the proper password):

 

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\signtool.exe" sign /a /v /debug /fd SHA256 /f "C:\Users\Admin\Desktop\strongname.pfx" /p "xxxThePasswordxxx" "C:\Users\Admin\Desktop\TMEdit\Setup_TMEdit.msix"

 

Which fails.  The relevant output being:

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: TMurgent Technologies, LLP
    Issued by: COMODO RSA Code Signing CA
    Expires:   Mon Jun 21 19:59:59 2021
    SHA1 hash: A5CD580A89C438FB9B87753BB05F383560EB366F

The following additional certificates will be attached:
    Issued to: COMODO RSA Code Signing CA
    Issued by: COMODO RSA Certification Authority
    Expires:   Mon May 08 19:59:59 2028
    SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
 
#2 Reading up on this we get to cause of issue number 2:  The name of the publisher in CN form in the manifest (input from the MSIX Manifest tool) must exactly match that of the certificate:
 
Inside the certificate,  The publisher name is
          CN=TMurgent Technologies, LLP
which, unfortunately, is the legal name of the entity so that isn't changing!
 
The MSIX Package Tool does not allow a comma in the input field. 

 

 

  • Johannes Freundorfer's avatar
    Johannes Freundorfer
    Copper Contributor
    Aug 07, 2018

    Hi Thimothy,

     

    just to clarify:

    This is the structure of my PKI:

    CN=Johannes Freundorfer, OU=MyCustomOU, OU=MyOrg, DC=MyDomain, DC=dom

     

    Applied to your case:

    is "TMurgent Technologies, LLP" really your explicit Subject name (Including the "," character )?

     

    My current best guess is, that his can't match the schema.

     

     

     

     

  • Bogdan Mitrache's avatar
    Bogdan Mitrache
    Steel Contributor
    Aug 07, 2018

    Hi Tim,

     

    According to MSFT docs comma (",") is a reserved character that must be escaped, as show in their examples from the linked article.

     

    It seems that using "\," is still not considered correct by the GUI of MSIX packaging tool, but it does not complain when using the hex value for comma, i.e. "CN=TMurgent Technologies \2C LLP".

    I don't have a test certificate at hand with a command in the publisher name to fully test it, but according to their docs it should work.

      • TIMOTHY_MANGAN's avatar
        TIMOTHY_MANGAN
        MVP
        Aug 07, 2018

        Escaping in the dialog box as Bogdan suggested does indeed work.

         

        But the GUI of the tool should just accept the comma and escape it behind the scenes. 

         

        In addition, when there is documentation on all of this, the documentation should be clear about what to include in this field.  There will be confusion on if OU= parts should be included.  Just make it clear in the documentation, especially for people that don't deal in certificates regularly.

Share

Resources