Forum Discussion
MSIX Packageing Tool / signtool certificate issues
Mo_Velayati I am not signing via Azure. Ultimately they must use a version of signtool, and I suppose it is possible that this might not be the latest.
Your #2 image looks correct to me for the Publisher field. Assuming you have access to the files from the Ci/CD process, a way to troubleshoot may be to take your unsigned package to a Windows VM and manually signing via the latest signtool and your cert.
Outside of that you'll need Microsoft help. Maybe tagging jvintzel will get him to forward the thread to someone that can help.
MicrosoftTIMOTHY_MANGAN
The publisher string entered by you needs to match exactly the string extracted from the cert. This Windows API function documentation lists some of the recommendations in the Remarks section https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks
To extract the right publisher from your cert subject, you could use the MSIX Packaging Tool's editor to sign a package and see what it puts in the manifest.
Or you could use the following C# code or Powershell commands:
X509Certificate cert = new X509Certificate();
cert.Import(certificatePath, certificatePassword, X509KeyStorageFlags.DefaultKeySet);
string publisher = cert.Subject;
(New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 cert.pfx).SubjectReplace cert.pfx with your cert name. If it is password protected, use cert.pfx,password.
Let us know if this helps.
I signed my code. This is what I did for my package manifest file. So the subject name of the certificate is like this:
CN=ABCD, INC. , O=ABCD, INC., L=Kerrville, ST=Texas, C=US
In Package.manifest file I added like this :Publisher="CN="ABCD, INC.", O="ABCD, INC.", L=Kerrville, S=Texas, C=US"
I wrapped the attributes having comma in quotes and escaped them . I aslo changed ST to S in package.manifest file. This worked.TIMOTHY_MANGAN, I tried building the application by omitting O and CN, and then also i got error. It seems ST='Texas' caused. ST is not supported
Reason: 'C=US, ST=Texas, L=Kerrville' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'. The attribute 'Publisher' with value 'C=US, ST=Texas, L=Kerrville' failed to parse.When I got the certificate from Digicert ,it was like this
I no longer have the comma in the company name, but I remember that when I did, I solved it using an alternate form for the comma. Perhaps Bogdan Mitrache remembers what it was since he told me.
Has anyone found a solution to this? I get the same error when i try to build react native windows app. My certificate also contains special character like this: O=A Company, INC., CN=A Company, INC.
ChaconHi Mo_Velayati
If the certificate subject is
SERIALNUMBER=123456-78, C=US, ST=STATE, L=CITY, STREET=Address more address, O=A Company, INC., CN=A Company, INC.then this Publisher should work:
Publisher="SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, O="A Company, INC.", CN="A Company, INC.""
I just tested signing a package with that exact publisher and a self signed certificate. Things to note:
- The order of the fields is the exact same (without CN at the start)
- ST becomes S
- The O and CN fields are quoted because they include commas
If that doesn't work, you can try using signtool.exe for finding the error (even if you end up using AzureSignTool after figuring it out). There are two things that you can do with signtool for debugging:
- Add the /debug flag. That may help if the issue is with the certificate (e.g. not enabled for signing or expired).
- Set the APPXSIP_LOG environment variable to a value from 1 to 3 depending on how much logging you want. This would tell you if there is a mismatch between the publisher and the certificate subject, and what is the correct value. For example
ERROR: [Appx::Packaging::SipFunctionHelper::VerifyManifestPublisherName] failed because signing certificate subject name (SERIALNUMBER=... <cert's subject>) does not match package manifest publisher (CN=... <package's publisher>)
You may be able to do something similar with AzureSignTool but I'm not familiar with it.
To do this you would need to have the certificate available in your machine, not in Azure Key Vault (only to debug). You can download your certificate or create a self signed certificate with the same subject. See: Create a certificate for package signing - MSIX | Microsoft Docs.
Thanks for reply, Sahibi!
I understand that the publisher must match the subject. My question or I guess my issue is that I don't know how I should format the publisher in appxmanifest if there are special characters (comma in my case) in it. When I look at my signing cert subject I see this:
SERIALNUMBER=123456-78, C=US, ST=STATE, L=CITY, STREET=Address more address, O=A Company, INC., CN=A Company, INC.
Notice that there are commas in O and CN values. How would you suggest I should format this in appxmanifest for the Publisher value?Best,
Mo
- SahibiMiranshah
Mo_Velayati
The subject string in a cert must exactly match the string in the appxmanifest file. There is no workaround for this restriction.
You could either update the appxmanifest Publisher field, for example,Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
or acquire a new cert to match the Publisher in the appxmanifest file if you cannot change the appxmanifest. Hi Sahibi,
My cert is on azure key vault and I'm trying to sign directly from the key vault instead of downloading or importing the certificate. That's why I'm use AzureSignTool.
I tried the powershell scripts you mentioned and all I get is a simple string for the subject name. It doesn't include any of the OIDs meaning it's not in the correct format. So if the publisher for my cert is :
Publisher="O=A Company, INC., SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, CN=A Company, INC."it would print: A Company, INC.
I am mostly interested to know what I should choose as my Publisher Identity in Packager.appxmanifest so it exactly matches the subject of the certificate. So far I have tried almost every possible way formatting but still no luck.
I the link you posted here I saw that if there are special characters such as comma in the subject, they have to be inside double quotes. I have tried that as well but I still get the same error saying that it doesn't match the subject.
Any thoughts?