Nov 19 2020 08:32 AM
I am trying to use the 10.0.19041.0 makeappx.exe using a certificate I can not change. The issue is that the publisher subject lines contains ST=Oregon instead of S=Oregon and I get the following error:
MakeAppx : error: Error info: error C00CE169: App manifest validation error: The app manifest must be valid as per schema: Line 6, Column 45, Reason: 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'.
The attribute 'Publisher' with value 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' failed to parse.
If I set S=Oregon it packages fine. However, it then cannot be signed because the subject line in the certificate has ST=Oregon and it doesn't match. Is there a way to get around this other then getting a new certificate created?
thanks
Nov 24 2020 02:27 PM
Hi @dmondou
Can you try passing in the /nv flag to MakeAppx when packaging. This should skip semantic validation. You'll have to verify that your package installs successfully after it's created.
Cheers,
Tanaka
Nov 25 2020 08:08 AM
Hello @Tanaka_Jimha ,
With the /nv flag it does try to package up the files but then throws the following error:
MakeAppx : error: Error info: error C00CE169: App manifest validation error: The app manifest must be valid as per schema: Line 6, Column 45, Reason: 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'.
The attribute 'Publisher' with value 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' failed to parse.
Without the /nv flag it doesn't try to package anything it just throws the error right away.
Thanks,
David
Nov 26 2020 04:37 AM - edited Nov 26 2020 04:38 AM
@dmondou This seems to be a possible bug in regexp validation of makeappx.exe. According to RFC 4519, ST should be a valid token (RFC 4519 - Lightweight Directory Access Protocol (LDAP): Schema for User Applications (ietf.org)).
Now while this does not help with the original problem, here is a weird thing.
I tried to test it myself, and tried to first create a test code signing certificate using your subject name. Invoking the following two commands:
$certificate = New-SelfSignedCertificate -Type Custom -KeyUsage DigitalSignature -Subject "C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc" -FriendlyName "AcmeTest" -CertStoreLocation 'Cert:\CurrentUser\my';
(Get-ChildItem -path "Cert:\CurrentUser\my" | ? { $_.Subject.IndexOf("Oregon") -ne -1 }).Subject
Seems to output:
C=US, S=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc
The same if you use makecert.exe, ST gets somehow replaced with S. No idea why, but seems to partially explain the choice of the regexp used by makeappx.exe.
Dec 04 2020 08:05 AM
Hello @Tanaka_Jimha,
Is there an update on this issue? as it is a blocker for us in trying to deploy our app.
Thanks,
David
Dec 04 2020 08:05 AM
Dec 07 2020 08:06 PM
Hi @dmondou
Did you confirm that signing fails when you set S=Oregon in the manifest? I chatted with the team and they said the validation uses this CertNameToStr function - CertNameToStrA function (wincrypt.h) - Win32 apps | Microsoft Docs and it says
"The string representation follows the distinguished name specifications in RFC 1779 except for the deviations described in the following list:
Unfortunately it looks like ST=Oregon will not work, and you'll need a subject name with S=Oregon.
Dec 09 2020 09:23 AM
Hi @Tanaka_Jimha ,
Using S=Oregon does work, however our certificate is through Digicert and we discussed with them or issuing a cert with S=Oregon and they won't do it. Any chance of getting ST=Oregon changed in MSIX?
Thanks,
David
Dec 15 2020 05:15 PM
Hi @dmondou ,
Did signing fail with ST=Oregon?
I've added this request to our backlog, so that using ST=Oregon would be supported by default. I'm sorry it doesn't work currently and it's causing issues for you.
Thanks,
Tanaka
Dec 17 2020 09:25 AM