Forum Discussion
MSIX Packageing Tool / signtool certificate issues
Hi Sahibi,
My cert is on azure key vault and I'm trying to sign directly from the key vault instead of downloading or importing the certificate. That's why I'm use AzureSignTool.
I tried the powershell scripts you mentioned and all I get is a simple string for the subject name. It doesn't include any of the OIDs meaning it's not in the correct format. So if the publisher for my cert is :
Publisher="O=A Company, INC., SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, CN=A Company, INC."
it would print: A Company, INC.
I am mostly interested to know what I should choose as my Publisher Identity in Packager.appxmanifest so it exactly matches the subject of the certificate. So far I have tried almost every possible way formatting but still no luck.
I the link you posted here I saw that if there are special characters such as comma in the subject, they have to be inside double quotes. I have tried that as well but I still get the same error saying that it doesn't match the subject.
Any thoughts?
MicrosoftMo_Velayati
The subject string in a cert must exactly match the string in the appxmanifest file. There is no workaround for this restriction.
You could either update the appxmanifest Publisher field, for example,
I signed my code. This is what I did for my package manifest file. So the subject name of the certificate is like this:
CN=ABCD, INC. , O=ABCD, INC., L=Kerrville, ST=Texas, C=US
In Package.manifest file I added like this :Publisher="CN="ABCD, INC.", O="ABCD, INC.", L=Kerrville, S=Texas, C=US"
I wrapped the attributes having comma in quotes and escaped them . I aslo changed ST to S in package.manifest file. This worked.TIMOTHY_MANGAN, I tried building the application by omitting O and CN, and then also i got error. It seems ST='Texas' caused. ST is not supported
Reason: 'C=US, ST=Texas, L=Kerrville' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'. The attribute 'Publisher' with value 'C=US, ST=Texas, L=Kerrville' failed to parse.When I got the certificate from Digicert ,it was like this
I no longer have the comma in the company name, but I remember that when I did, I solved it using an alternate form for the comma. Perhaps Bogdan Mitrache remembers what it was since he told me.
Has anyone found a solution to this? I get the same error when i try to build react native windows app. My certificate also contains special character like this: O=A Company, INC., CN=A Company, INC.
ChaconHi Mo_Velayati
If the certificate subject is
SERIALNUMBER=123456-78, C=US, ST=STATE, L=CITY, STREET=Address more address, O=A Company, INC., CN=A Company, INC.then this Publisher should work:
Publisher="SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, O="A Company, INC.", CN="A Company, INC.""
I just tested signing a package with that exact publisher and a self signed certificate. Things to note:
- The order of the fields is the exact same (without CN at the start)
- ST becomes S
- The O and CN fields are quoted because they include commas
If that doesn't work, you can try using signtool.exe for finding the error (even if you end up using AzureSignTool after figuring it out). There are two things that you can do with signtool for debugging:
- Add the /debug flag. That may help if the issue is with the certificate (e.g. not enabled for signing or expired).
- Set the APPXSIP_LOG environment variable to a value from 1 to 3 depending on how much logging you want. This would tell you if there is a mismatch between the publisher and the certificate subject, and what is the correct value. For example
ERROR: [Appx::Packaging::SipFunctionHelper::VerifyManifestPublisherName] failed because signing certificate subject name (SERIALNUMBER=... <cert's subject>) does not match package manifest publisher (CN=... <package's publisher>)
You may be able to do something similar with AzureSignTool but I'm not familiar with it.
To do this you would need to have the certificate available in your machine, not in Azure Key Vault (only to debug). You can download your certificate or create a self signed certificate with the same subject. See: Create a certificate for package signing - MSIX | Microsoft Docs.
Thanks for reply, Sahibi!
I understand that the publisher must match the subject. My question or I guess my issue is that I don't know how I should format the publisher in appxmanifest if there are special characters (comma in my case) in it. When I look at my signing cert subject I see this:
SERIALNUMBER=123456-78, C=US, ST=STATE, L=CITY, STREET=Address more address, O=A Company, INC., CN=A Company, INC.
Notice that there are commas in O and CN values. How would you suggest I should format this in appxmanifest for the Publisher value?Best,
Mo
