MSIX Packageing Tool / signtool certificate issues

Hi Mo_Velayati 

If the certificate subject is
SERIALNUMBER=123456-78, C=US, ST=STATE, L=CITY, STREET=Address more address, O=A Company, INC.,  CN=A Company, INC.

then this Publisher should work:

Publisher="SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, O="A Company, INC.", CN="A Company, INC.""

I just tested signing a package with that exact publisher and a self signed certificate. Things to note:

• The order of the fields is the exact same (without CN at the start)
• ST becomes S
• The O and CN fields are quoted because they include commas

If that doesn't work, you can try using signtool.exe for finding the error (even if you end up using AzureSignTool after figuring it out). There are two things that you can do with signtool for debugging:

• Add the /debug flag. That may help if the issue is with the certificate (e.g. not enabled for signing or expired).
• Set the APPXSIP_LOG environment variable to a value from 1 to 3 depending on how much logging you want. This would tell you if there is a mismatch between the publisher and the certificate subject, and what is the correct value. For example
  

  ERROR: [Appx::Packaging::SipFunctionHelper::VerifyManifestPublisherName] failed because signing certificate subject name (SERIALNUMBER=... <cert's subject>) does not match package manifest publisher (CN=... <package's publisher>)​

You may be able to do something similar with AzureSignTool but I'm not familiar with it.

To do this you would need to have the certificate available in your machine, not in Azure Key Vault (only to debug). You can download your certificate or create a self signed certificate with the same subject. See: Create a certificate for package signing - MSIX | Microsoft Docs.