Can MSIX packages be signed via PS cmdlet 'Set-AuthenticodeSignature'

%3CLINGO-SUB%20id%3D%22lingo-sub-2256732%22%20slang%3D%22en-US%22%3ECan%20MSIX%20packages%20be%20signed%20via%20PS%20cmdlet%20'Set-AuthenticodeSignature'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256732%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20older%20code%20signing%20cert%20is%20about%20to%20expire%20so%20we're%20attempting%20to%20move%20the%20process%20to%20lean%20on%20our%20newer%20code%20signing%20process%20where%20the%20cert%20never%20leaves%20a%20particular%20server.%20This%20process%20at%20it's%20root%20relies%20on%20the%20PowerShell%20cmdlet%20'Set-AuthenticodeSignature'.%3CBR%20%2F%3E%3CBR%20%2F%3EAttempting%20to%20sign%20MSIX%20builds%20with%20the%20same%20parameters%20we%20use%20for%20scripts%20and%20exe's%20appears%20not%20to%20be%20working.%20I%20have%20verified%20the%20Certificate%20Subject%20matches%20the%20MSIX's%20publisher%20entry%20in%20the%20manifest%20file.%20The%20error%20returned%20is%20vague%2C%20so%20I'm%20not%20sure%20if%20the%20msix%20format%20is%20supported%20or%20if%20there's%20something%20else%20wrong%20here.%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20clarify%2C%20we're%20not%20using%20the%20msix%20repackaging%20tool%20or%20any%20third%20party%20repackaging%20tool%20to%20sign%20the%20files.%26nbsp%3B%3CBR%20%2F%3ESome%20basic's%20behind%20the%20commands%20we're%20using%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24MSIxToSign%20%3D%20%22%24PSScriptRoot%5CApplication.msix%22%0A%24CSCert%20%3D%20Get-ChildItem%20Cert%3A%5C%20-Recurse%20-ErrorAction%20SilentlyContinue%20-CodeSigningCert%20%7C%20Where-Object%20Thumbprint%20-eq%20'OurThumbPrint'%20%7C%20Select-Object%20-First%201%0A%0A%24SignatureParams%20%3D%20%40%7B%0A%20%20%20%20Certificate%3D%24CSCert%0A%20%20%20%20IncludeChain%3D'notroot'%0A%20%20%20%20TimestampServer%3D'http%3A%2F%2Ftimestamp.digicert.com'%0A%20%20%20%20Force%3D%24true%0A%7D%0A%0Atry%20%7B%0A%20%20%20%20%24result%20%3D%20Set-AuthenticodeSignature%20-FilePath%20%24MSIxToSign%20%40SignatureParams%20-ErrorAction%20Stop%0A%7D%0Acatch%20%7B%0A%20%20%20%20Write-error%20%22Doh!!%22%0A%7D%0A%0APS%20C%3A%5CUsers%5Cme%26gt%3B%20%24result.Status%0A'UnknownError'%0APS%20C%3A%5CUsers%5Cme%26gt%3B%20%24result.StatusMessage%0A'The%20form%20specified%20for%20the%20subject%20is%20not%20one%20supported%20or%20known%20by%20the%20specified%20trust%20provider'%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOther%20details%3A%3C%2FP%3E%3CUL%3E%3CLI%3ECert%20is%20valid%20until%202024%3C%2FLI%3E%3CLI%3EIt%20is%20a%20code%20signing%20certificate%3C%2FLI%3E%3CLI%3EIssued%20by%20Digicert%3C%2FLI%3E%3CLI%3ERunning%20on%20Server%202016%3C%2FLI%3E%3CLI%3EServer%20has%20PSVersion%205.1%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2257514%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20MSIX%20packages%20be%20signed%20via%20PS%20cmdlet%20'Set-AuthenticodeSignature'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2257514%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F641540%22%20target%3D%22_blank%22%3E%40Vanbogie1200%3C%2FA%3E%2C%20we%20recommend%20you%20use%20SignTool.exe%20to%20sign%20MSIX%20packages.%20You%20can%20find%20more%20information%20on%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackage%2Fsign-app-package-using-signtool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESign%20an%20app%20package%20using%20SignTool%20-%20MSIX%20%7C%20Microsoft%20Docs%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2262220%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20MSIX%20packages%20be%20signed%20via%20PS%20cmdlet%20'Set-AuthenticodeSignature'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2262220%22%20slang%3D%22en-US%22%3EHi%20Dian%2C%20I%20was%20able%20to%20start%20signing%20the%20MSIX%20builds%20again%20using%20the%20signtool.%20So%20thanks%20for%20the%20suggestion.%3CBR%20%2F%3E%3CBR%20%2F%3EOn%20a%20side%20note%2C%20I%20suspect%20the%20issue%20with%20that%20cmdlet%20'Set-AuthenticodeSignature'%20is%20that%20it's%20being%20run%20from%20PS%205.1.%20I%20noticed%20that%20PowerShell%205.1%20also%20cannot%20view%20the%20signature%20on%20an%20MSIX%20while%207.0%20has%20no%20issue.%20I%20plan%20on%20installing%20PS%207.0%20on%20our%20signing%20server%20on%20Monday%20and%20will%20provide%20an%20update%20here%20in%20case%20there%20are%20anyone%20else%20is%20trying%20to%20sign%20this%20way.%3C%2FLINGO-BODY%3E
Occasional Contributor

Our older code signing cert is about to expire so we're attempting to move the process to lean on our newer code signing process where the cert never leaves a particular server. This process at it's root relies on the PowerShell cmdlet 'Set-AuthenticodeSignature'.

Attempting to sign MSIX builds with the same parameters we use for scripts and exe's appears not to be working. I have verified the Certificate Subject matches the MSIX's publisher entry in the manifest file. The error returned is vague, so I'm not sure if the msix format is supported or if there's something else wrong here.

To clarify, we're not using the msix repackaging tool or any third party repackaging tool to sign the files. 
Some basic's behind the commands we're using:

$MSIxToSign = "$PSScriptRoot\Application.msix"
$CSCert = Get-ChildItem Cert:\ -Recurse -ErrorAction SilentlyContinue -CodeSigningCert | Where-Object Thumbprint -eq 'OurThumbPrint' | Select-Object -First 1

$SignatureParams = @{
    Certificate=$CSCert
    IncludeChain='notroot'
    TimestampServer='http://timestamp.digicert.com'
    Force=$true
}

try {
    $result = Set-AuthenticodeSignature -FilePath $MSIxToSign @SignatureParams -ErrorAction Stop
}
catch {
    Write-error "Doh!!"
}

PS C:\Users\me> $result.Status
'UnknownError'
PS C:\Users\me> $result.StatusMessage
'The form specified for the subject is not one supported or known by the specified trust provider'

 

Other details:

  • Cert is valid until 2024
  • It is a code signing certificate
  • Issued by Digicert
  • Running on Server 2016
  • Server has PSVersion 5.1

 

2 Replies

Hi @Vanbogie1200, we recommend you use SignTool.exe to sign MSIX packages. You can find more information on this: Sign an app package using SignTool - MSIX | Microsoft Docs 

Hi Dian, I was able to start signing the MSIX builds again using the signtool. So thanks for the suggestion.

On a side note, I suspect the issue with that cmdlet 'Set-AuthenticodeSignature' is that it's being run from PS 5.1. I noticed that PowerShell 5.1 also cannot view the signature on an MSIX while 7.0 has no issue. I plan on installing PS 7.0 on our signing server on Monday and will provide an update here in case there are anyone else is trying to sign this way.