Forum Discussion

GrahamGB's avatar
GrahamGB
Iron Contributor
Jan 31, 2025
Solved

Signing MSIX packages with Azure Trusted Signing Accounts

I have a requirement to sign an MSIX package without access to a code signing certificate. I have successfully signed a powershell script using the Azure Trusted Signing Account: https://learn.mic...
  • GrahamGB's avatar
    GrahamGB
    Feb 18, 2025

    Have since identified that Trusted Signing Installer .msi doesn't install the correct configuration of dlib and compatible sign tool.

     

    Installing the latest sign tool 10.0.26610.3328 and dlib 1.0.68.0 using nuget packages overcomes the issue.

    Microsoft are updating documentation to reflect this, including ensuring that explicit paths to each component is set and calling signtool from the folder it resides in.

     

    & .\signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "<Path to Trusted Signing dlib bin folder>\x64\Azure.CodeSigning.Dlib.dll" /dmdf "<Path to metadata file>\metadata.json" <File to sign>

GrahamGB's avatar
GrahamGB
Iron Contributor
Feb 03, 2025

I have matched the Publisher details exactly with the same result.  I have also tried to create an unsigned package using the same OID detailed https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package. And it doesn't help when then trying to sign the package using the signer role.

I can see that someone has previously managed to sign an MSIX using the trusted signing account but with different https://learn.microsoft.com/en-us/answers/questions/1665128/how-do-i-fix-azure-trusted-service-account-error-w?page=1&orderby=Helpful&comment=answer-1517331#newest-answer-commentfaced, but those suggestions haven't resolved the issue.

luchete's avatar
luchete
Iron Contributor
Feb 07, 2025

Hello GrahamGB!

Have you managed to find a solution or still struggling?

Regards

  • GrahamGB's avatar
    GrahamGB
    Iron Contributor
    Feb 08, 2025

    I've had the same issue on both a VM Fusion Win10 VM as  a Parralels Win11 VM, although I can successfully use s self signed certificate and install the package, using the same subject name listed in the certificate profile.

    • luchete's avatar
      luchete
      Iron Contributor
      Feb 09, 2025

      GrahamGB

      Great to hear that option worked for you. Would you mind to leave this thread marked as closed/resolved?

      Regards!

      • GrahamGB's avatar
        GrahamGB
        Iron Contributor
        Feb 10, 2025

        Using a self-sign certificate is only useful for test purposes to ensure the MSIX file isn't corrupt or something. My issue is that the Trusted Signing Client Tools does not allow me to sign the MSIX file, which is the requirement I want to exploit for our used case in the future.  It's something a support case will help with if anyone else hasn't overcome this issue.

Resources