Forum Discussion

Mike_Yeager's avatar
Mike_Yeager
Copper Contributor
Oct 28, 2021

Windows Application Packaging Project - cannot select code signing certificate

Visual Studio 2019 16.11.5. WPF project .NET Framework 4.8. I can deploy via ClickOnce with a code signing certificate I purchased. When I add a Windows Application Packaging Project to my solution t...
Mike_Yeager's avatar
Mike_Yeager
Copper Contributor
Oct 29, 2021

Thanks TIMOTHY_MANGAN Is it just me or does anyone else think it's nuts that there are no specs for public signing certificates for MSIX and that the tooling give you no indication of what's wrong when it doesn't work.

itoinbgb's avatar
itoinbgb
Copper Contributor
Jan 27, 2022

Mike_Yeager Hello Mike, I was wondering if you found a solution? I am facing the same issue and even though I shared my screen with the support staff of ssl.com while going through each step, they claim that the certificates are ok. I am missing Basic Constraints as well.

 

  • Mike_Yeager's avatar
    Mike_Yeager
    Copper Contributor
    Jan 27, 2022

    itoinbgb Unfortunately no updates from Microsoft. It does work if you run the signing tools manually, but not through VS.

    • itoinbgb's avatar
      itoinbgb
      Copper Contributor
      Jan 28, 2022

      Mike_Yeager I am using signtool as a workaround for msix bundles (appinstaller format), like this:

       

       

      "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /tr http://ts.ssl.com /td sha256 /a /f "path_toCertificate\certificate.pfx" /p ******** "PathToPackage\Package.msixbundle"

       

       

      This works fine for msixbundle, and for individual msix packages, I am using MSIX Packaging Tool:

       

       

      I do hope this gets resolved eventually though, because this adds an additional step in the build process. Probably should buy another certificate from a CA that includes Basic Constraints.

    • TIMOTHY_MANGAN's avatar
      TIMOTHY_MANGAN
      MVP
      Jan 27, 2022
      I would suggest that you try manually signing the unsigned output package using the signtool utility. This should provide better information on the issue. It would also probably force you to understand the password protection as the cert file ***SHOULD*** be password protected and you'll need that password to sign.
      Also be careful to re-review whatever instructions you have on which store to put that cert and what folders (or whatever they are called) within the store. Sometimes I've had to use the system store and sometimes the user store. Sometimes the Trusted Roots folder, and sometimes Personal.
      • Mike_Yeager's avatar
        Mike_Yeager
        Copper Contributor
        Jan 27, 2022
        Hi @Timothy. We have established that we can manually sign using signtool. The issue is with Visual Studio. The Basic Constraints requirement is only from within Visual Studio. Last I heard the VS team was going to look into it.

Resources