Forum Discussion
Signing MSIX packages with Azure Trusted Signing Accounts
I have a requirement to sign an MSIX package without access to a code signing certificate.
I have successfully signed a powershell script using the Azure Trusted Signing Account: https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations however when trying to sign either an exe of MSIX, i receive the signtool error:
This file format cannot be signed because it is not recognized.
Whereas the signtool documentation clearly states that .appx / .msix packages can be signed with this crypto tooling. There is no additional information in the AppX event viewer operational or debug areas that I can see.
I have ensured that the publisher details match that of the certificate profile listed under the Trusted Signing Account resource in the Microsoft Packaging Tool, albeit I set a application specific publisher display name instead.
Has anyone had any success using this process?
Have since identified that Trusted Signing Installer .msi doesn't install the correct configuration of dlib and compatible sign tool.
Installing the latest sign tool 10.0.26610.3328 and dlib 1.0.68.0 using nuget packages overcomes the issue.
Microsoft are updating documentation to reflect this, including ensuring that explicit paths to each component is set and calling signtool from the folder it resides in.
& .\signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "<Path to Trusted Signing dlib bin folder>\x64\Azure.CodeSigning.Dlib.dll" /dmdf "<Path to metadata file>\metadata.json" <File to sign>
11 Replies
Have since identified that Trusted Signing Installer .msi doesn't install the correct configuration of dlib and compatible sign tool.
Installing the latest sign tool 10.0.26610.3328 and dlib 1.0.68.0 using nuget packages overcomes the issue.
Microsoft are updating documentation to reflect this, including ensuring that explicit paths to each component is set and calling signtool from the folder it resides in.
& .\signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "<Path to Trusted Signing dlib bin folder>\x64\Azure.CodeSigning.Dlib.dll" /dmdf "<Path to metadata file>\metadata.json" <File to sign>
Cool, I'm glad you've found a solution. This post will be useful for those in the same situation. Thanks for sharing!
I have matched the Publisher details exactly with the same result. I have also tried to create an unsigned package using the same OID detailed https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package. And it doesn't help when then trying to sign the package using the signer role.
I can see that someone has previously managed to sign an MSIX using the trusted signing account but with different https://learn.microsoft.com/en-us/answers/questions/1665128/how-do-i-fix-azure-trusted-service-account-error-w?page=1&orderby=Helpful&comment=answer-1517331#newest-answer-commentfaced, but those suggestions haven't resolved the issue.I've had the same issue on both a VM Fusion Win10 VM as a Parralels Win11 VM, although I can successfully use s self signed certificate and install the package, using the same subject name listed in the certificate profile.
Since you've matched the publisher details and even tried creating an unsigned package with the same OID, I’d suggest checking if there’s any specific configuration in the Azure environment or the tool you're using that might be interfering. Also, double-check that the Trusted Signing Certificate Profile Signer role has the correct permissions. If someone else successfully signed an MSIX package with a different issue, it might be worth revisiting their specific setup or configurations, as small differences can lead to different results. If possible, try signing a simple test MSIX package and see if that behaves differently, to rule out any package-specific issues.
Hi GrahamGB
You're hitting a format issue when trying to sign MSIX packages. Even though MSIX packages should be supported by Azure Trusted Signing Accounts, it’s possible the issue is related to the publisher details or the way the signing process is being triggered. You mentioned that you've matched the publisher details, but if you're using a specific publisher display name in the app, that might be causing a mismatch. Make sure that the publisher details in your MSIX package exactly match the trusted signing profile. Another option is that you can try using the Microsoft Packaging Tool to repackage the MSIX, ensuring that the publisher is set correctly throughout.
Hope it helps!
