Forum Discussion

GrahamGB's avatar
GrahamGB
Iron Contributor
Jan 31, 2025
Solved

Signing MSIX packages with Azure Trusted Signing Accounts

I have a requirement to sign an MSIX package without access to a code signing certificate. I have successfully signed a powershell script using the Azure Trusted Signing Account: https://learn.mic...
  • GrahamGB's avatar
    GrahamGB
    Feb 18, 2025

    Have since identified that Trusted Signing Installer .msi doesn't install the correct configuration of dlib and compatible sign tool.

     

    Installing the latest sign tool 10.0.26610.3328 and dlib 1.0.68.0 using nuget packages overcomes the issue.

    Microsoft are updating documentation to reflect this, including ensuring that explicit paths to each component is set and calling signtool from the folder it resides in.

     

    & .\signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "<Path to Trusted Signing dlib bin folder>\x64\Azure.CodeSigning.Dlib.dll" /dmdf "<Path to metadata file>\metadata.json" <File to sign>

GrahamGB's avatar
GrahamGB
Iron Contributor
Feb 03, 2025

I have matched the Publisher details exactly with the same result.  I have also tried to create an unsigned package using the same OID detailed https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package. And it doesn't help when then trying to sign the package using the signer role.

I can see that someone has previously managed to sign an MSIX using the trusted signing account but with different https://learn.microsoft.com/en-us/answers/questions/1665128/how-do-i-fix-azure-trusted-service-account-error-w?page=1&orderby=Helpful&comment=answer-1517331#newest-answer-commentfaced, but those suggestions haven't resolved the issue.

  • luchete's avatar
    luchete
    Iron Contributor
    Feb 07, 2025

    Hello GrahamGB!

    Have you managed to find a solution or still struggling?

    Regards

    • GrahamGB's avatar
      GrahamGB
      Iron Contributor
      Feb 08, 2025

      I've had the same issue on both a VM Fusion Win10 VM as  a Parralels Win11 VM, although I can successfully use s self signed certificate and install the package, using the same subject name listed in the certificate profile.

      • luchete's avatar
        luchete
        Iron Contributor
        Feb 09, 2025

        GrahamGB

        Great to hear that option worked for you. Would you mind to leave this thread marked as closed/resolved?

        Regards!

  • luchete's avatar
    luchete
    Iron Contributor
    Feb 03, 2025

    GrahamGB 

    Since you've matched the publisher details and even tried creating an unsigned package with the same OID, I’d suggest checking if there’s any specific configuration in the Azure environment or the tool you're using that might be interfering. Also, double-check that the Trusted Signing Certificate Profile Signer role has the correct permissions. If someone else successfully signed an MSIX package with a different issue, it might be worth revisiting their specific setup or configurations, as small differences can lead to different results. If possible, try signing a simple test MSIX package and see if that behaves differently, to rule out any package-specific issues.

Resources