Forum Discussion
Sign the MSIX using pfx certificate using the command line version of MSIX Packaging Tool
I can create a signed version of my app using the GUI version of the MSIX Packaging Tool. I can then use the template it outputs to create similar packages using the command line version. However, these packages are created unsigned. I am not using "SigningInformation" in the template XML as that one is for Device Guard signing only (according to https://docs.microsoft.com/en-us/windows/msix/packaging-tool/generate-template-file). I need a way to specify my pfx certificate, password and the timestamp server while using the CLI version, just like I can do it in the GUI. How do I do that?
Thanks.
4 Replies
ChaconMicrosoft
Hi ylexus,
The MSIX Packaging Tool does not support signing with .pfx certificates when using template files from the command line. You can use SignTool to sign your packages from the CLI: Sign an app package using SignTool - MSIX | Microsoft Docs
Chacon thanks. It looks like it's a hacky business, but eventually it worked.
I installed latest Windows SDK 10 but was getting the error below. Googling proved that's because the MSIX packing tool version was not compatible with signtool version. MSIX packaging tool has its own signtool.exe located in C:\Program Files\WindowsApps\Microsoft.MsixPackagingTool_1.2020.709.0_x64__8wekyb3d8bbwe\SDK, but it had very strict permissions and I had to take ownership and add myself execute permissions on everything under that directory. After that it worked.
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd SHA256 /sha1 xxx /tr http://timestamp.comodoca.com file.msix Done Adding Additional Store SignTool Error: An unexpected internal error has occurred. Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)ylexus For anyone revisiting this topic in future, you can also use my freeware tool to do exactly what is needed, as documented here: https://msixhero.net/documentation/command-line-interface-cli-reference/sign-msix-package-sign/. Additional benefit is the automatic adjustment of the manifest file, so that the subject and the publisher name match.
