Forum Discussion
signtool cannot sign MSIX files from HSM certificate
I am unable to sign code from signtool.exe using a hardware key provider with this error:
.\signtool.exe sign /fd SHA256 /t http://timestamp.entrust.net/rfc3161ts2 "c:\code\notepad_x64.msix"
Done Adding Additional Store
SignTool Error: This file format cannot be signed because it is not recognized.
SignTool Error: An error occurred while attempting to sign: c:\code\notepad_x64.msix
Number of errors: 1
Why do MSIX files do not sign?
- This group is miles of.....
https://www.a6n.co.uk/2022/05/msix-update-signing-code-with-timestamp.html
You need the signtool from Windows 11 and the CN= of the package needs to match the CN= of the certificate
- Bogdan MitracheSteel ContributorTry using a newer version of SignTool. I vaguely remember a customer hitting the same problem last year because he was using an older version.
- leecroucherCopper Contributor
Bogdan Mitrache - I am using the Windows 11 SDK, the latest version - Same error
- mridulgupta
Microsoft
When using SignTool to sign your app package or bundle, the hash algorithm used in SignTool must be the same algorithm you used to package your app. To find out which hash algorithm was used while packaging your app, extract the contents of the app package and inspect the AppxBlockMap.xml file.- leecroucherCopper Contributor
mridulgupta Checked that file and its SHA256
HashMethod="http://www.w3.org/2001/04/xmlenc#sha256
Exactly the same hash algorithm as the command used in Signtool so its not that?
- mridulgupta
Microsoft
leecroucher Please check the version of the sign tool and the subject of the certificate, if that matches to the publisher in the manifest. If it doesn't match, use this script to sign the package.
- harshada2019
Microsoft
The error may also occur if the MSIX you are trying to package is corrupt. Can you please try with another MSIX package and see if it fails as well?- leecroucherCopper ContributorThis group is miles of.....
https://www.a6n.co.uk/2022/05/msix-update-signing-code-with-timestamp.html
You need the signtool from Windows 11 and the CN= of the package needs to match the CN= of the certificate