Can not Sign the MSIX pacakge with self-signed certificate

%3CLINGO-SUB%20id%3D%22lingo-sub-218928%22%20slang%3D%22en-US%22%3ECan%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218928%22%20slang%3D%22en-US%22%3E%3CP%3EI%20used%20Makeappx%20tool%20to%20convert%20my%20appx%20package%20to%20the%20msix%20package%20and%20now%20I%20want%20to%20test%20my%20msix%20package.%20I%20created%20a%20self-signed%20certificate%20by%20following%20the%20steps%20from%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fuwp%2Fpackaging%2Fcreate-certificate-package-signing%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehow%20to%20create%20a%20certificate%20for%20packaging%20and%20signing%3C%2FA%3E%20.%20But%20when%20I%20am%20trying%20to%20sign%20my%20package%20using%20signtool%2C%20I%20always%20get%20the%20error%20message%3A%3C%2FP%3E%3CP%3E%3CFONT%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20SignTool%20Error%3A%20An%20unexpected%20internal%20error%20has%20occurred.%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Error%20information%3A%20%22Error%3A%20SignerSign()%20failed.%22%20(-2147024846%2F0x80070032)%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EI%20have%20double%20checked%20the%20publisher%20name%20and%20encrpted%20algorithm%20I%20used.%20I%20have%20update%20to%20the%20Build17713.%20In%20build%2017709%2C%20I%20created%20a%20simple%20test%20app%20and%20packed%20it%20with%20msix%20and%20successfully%20signed%20and%20installed.%20Anybody%20has%20the%20same%20issue%20with%20signing%20the%20package.%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226016%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226016%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Timothy%2C%3C%2FP%3E%3CP%3Eexactly%20this%20is%20what%20my%20solution%20should%20provide%20-%20final%20(production)%20solution%20of%20course%20should%20be%20something%20within%20the%20Tool.%20But%20for%20now%20-%20it%20let%20MSIX%20rock%20on%20my%20box.%3C%2FP%3E%3CP%3EEnjoy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225808%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225808%22%20slang%3D%22en-US%22%3E%3CP%3E%40Johannes%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much.%20This%20worked%20for%20me.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20the%20command%20line%20to%20copy%20out%20the%20signtool.exe%20file%2C%20then%20ran%20my%20signtool%20command%20and%20voila%2C%20my%20msix%20package%20was%20able%20to%20be%20signed.%20I%20still%20needed%20to%20turn%20on%20%22Sideload%20apps%22%20from%20the%20%22for%20Developers%22%20page%20under%20Windows%20%22Settings%22%2C%20but%20that%20makes%20sense%20since%20I%20am%20not%20installing%20from%20the%20Store.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225296%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225296%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20working%20to%20get%20a%20new%20version%20of%20the%20tool%20out%20to%20resolve%20the%20password%20issue.%26nbsp%3B%20As%20the%20thread%20mentions%20a%20new%20signtool%20is%20needed%20to%20sign%20MSIX%20files.%26nbsp%3B%20Installing%20the%20SDK%20will%20offer%20this%20and%20we%20package%20it%20in%20the%20app%20so%20the%20SDK%20is%20not%20a%20requirement%20to%20use%20the%20MSIX%20Packaging%20Tool.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225165%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225165%22%20slang%3D%22en-US%22%3EJohanes%20-%20Thanks%20for%20that.%20I%20was%20assuming%20from%20the%20%22documentation%22%20that%20I%20needed%20the%20SDK%20copy%20of%20signtool%20and%20never%20looked%20inside%20the%20packaging%20tool%20for%20a%20copy.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20isn't%20the%20best%20way%20to%20go%20about%20this%2C%20but%20at%20least%20I%20can%20finally%20test!%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225032%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225032%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3Ball%2C%3C%2FP%3E%3CP%3EI%20did%20quite%20some%20testing%20with%20different%20types%20of%20certificates.%20What%20I%20found%20out%20is%3A%3C%2FP%3E%3CP%3E-%20the%20MSIX%20Packaging%20Tool%20has%20its%20own%20Version%20of%20signtool%20boxed%20(I%20guess%20to%20remove%20the%20SDK%20as%20prerequisite%3C%2FP%3E%3CP%3E-%20Certificate%20passwords%20really%20make%20it%20break%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20my%20solution%20was%20(beside%20to%20query%20for%20the%20most%20updated%20Insider%20SDK)%20to%20just%20copy%20out%20the%20Inboxed%20Signtool%20and%20run%20it%20on%20the%20commandline%3A%3C%2FP%3E%3CP%3Elocation%20on%20my%20box%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%22C%3A%5CProgram%20Files%5CWindowsApps%5CMicrosoft.MsixPackagingTool_1.2018.725.0_x64__8wekyb3d8bbwe%5Csigntool.exe%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esigntool.exe%20sign%20%2Fa%20%2Fv%20%2Ffd%20SHA256%20%2Ff%20%22C%3A%5CMyCodeSignCustom.pfx%22%20%2Fp%20%22SuperSecurePassword%22%20%22C%3A%5CMSIXPackage.appx%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3CP%3E%2FJohannes%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-224970%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-224970%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146612%22%20target%3D%22_blank%22%3E%40TIMOTHY%20MANGAN%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F171032%22%20target%3D%22_blank%22%3E%40Stephen%20Morgan%3C%2FA%3E%2C%20looks%20like%20you%20are%20using%20the%20RS4%20version%20of%20signtool.%20Please%20use%20the%20latest%20from%20the%20insider%20preview%20SDK%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.microsoft.com%252Fen-us%252Fsoftware-download%252FwindowsinsiderpreviewSDK%26amp%3Bdata%3D02%257C01%257C%257C5e074794b93548c4efac08d5f9855893%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636689273481816644%26amp%3Bsdata%3DGCdhOkTJw%252BcKepbZLtmorbCVvLPT1WEK2ssmCKwRGUE%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsoftware-download%2FwindowsinsiderpreviewSDK%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-224319%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-224319%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20issue%20with%20self-signed%20certificate%20(0x80070032).%26nbsp%3B%20The%20name%20is%20valid%2C%20and%20I%20can%20use%20the%20cert%20to%20sign%20an%20exe%20without%20issue.%26nbsp%3B%20I%20am%20using%2017134%20version%20of%20signtool%2C%20and%20have%20tried%20both%20the%20x86%20and%20x64%20version%20of%20signtool.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvent%20operational%20log%20generates%20a%20single%20information%20entry%20(Event%20181%20-%20The%20reader%20was%20created%20successfully%20without%20manifest%20validation).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnabling%20debug%20log%20produced%20single%20event%20of%20Event%200%20(ErrorCode%2015003%20with%20EventPayload%20of%20all%20zeros))%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-224231%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-224231%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20OS%20%3D%2017728.1000%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20the%20MSIX%20package%20tool.%20I%20created%20a%20pfx%20cert%20with%20a%20password.%20The%20CN%20name%20matches%20the%20CN%20in%20the%20msix.%20You%20cannot%20add%20the%20cert%20at%20the%20end%20of%20the%20MSIX%20package%20tool%20because%20it%20does%20not%20prompt%20for%20the%20cert%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20then%20try%20to%20sign%20the%20appx%20package%2C%20I%20receive%20the%20same%20error%20%3CFONT%3E0x80070032%3C%2FFONT%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-219042%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-219042%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F144857%22%20target%3D%22_blank%22%3E%40Toms%20Knostenbergs%3C%2FA%3E%26nbsp%3Bsounds%20like%20you%20are%20using%20signtool%20to%20sign%20the%20package%2C%20is%20that%20correct%3F%20Can%20you%20please%20try%20to%20convert%20the%20package%20again%20using%20the%20MSIX%20Packaging%20Tool%20and%20add%20your%20test%20certificate%20in%20the%20last%20page%20of%20the%20wizard%20to%20have%20the%20tool%20sign%20the%20MSIX%20package%3F%20If%20you%20hit%20the%20same%20error%20please%20file%20a%20feedback%20hub%20problem%20from%20the%20error%20pop%20up%20so%20we%20can%20take%20a%20look%20at%20your%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-219028%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-219028%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%2C%20I%20have%20the%20same%20issue%3A%3CBR%20%2F%3ESignTool%20Error%3A%20An%20unexpected%20internal%20error%20has%20occurred.%3CBR%20%2F%3EError%20information%3A%20%22Error%3A%20SignerSign()%20failed.%22%20(-2147024846%2F0x80070032)%3CBR%20%2F%3E%3CBR%20%2F%3EEvent%20viewer%20show%20me%20this%3A%20%22The%20reader%20was%20created%20successfully%20without%20manifest%20validation.%22%20And%20it%20is%20under%20Information%20Level%2C%20not%20Warning%20or%20Error.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EDetails%3A%26nbsp%3B%3CBR%20%2F%3EMSIX%20create%20with%20MSIX%20Packaging%20Tool%20(Preview)%3CBR%20%2F%3EOS%20build%3A%2017713.1000%3CBR%20%2F%3ESigntool.exe%26nbsp%3Bused%20from%20C%3A%5CProgram%20Files%20(x86)%5CWindows%20Kits%5C10%5Cbin%5C10.0.17134.0%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218972%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20not%20Sign%20the%20MSIX%20pacakge%20with%20self-signed%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218972%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20go%20to%20event%20viewer%20does%20it%20have%20anymore%20details%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EApplications%20and%20Services%20Logs%20%26gt%3B%20Microsoft%20%26gt%3B%20Windows%20%26gt%3B%20AppxPackagingOM%20%3F%20Microsoft-Windows-AppxPackaging%2FOperational%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJohn.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I used Makeappx tool to convert my appx package to the msix package and now I want to test my msix package. I created a self-signed certificate by following the steps from how to create a certificate for packaging and signing . But when I am trying to sign my package using signtool, I always get the error message:

              SignTool Error: An unexpected internal error has occurred.
              Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)

I have double checked the publisher name and encrpted algorithm I used. I have update to the Build17713. In build 17709, I created a simple test app and packed it with msix and successfully signed and installed. Anybody has the same issue with signing the package. 

11 Replies
Highlighted

If you go to event viewer does it have anymore details?

 

Applications and Services Logs > Microsoft > Windows > AppxPackagingOM ? Microsoft-Windows-AppxPackaging/Operational

 

John.

Highlighted

Hi,

Yes, I have the same issue:
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)

Event viewer show me this: "The reader was created successfully without manifest validation." And it is under Information Level, not Warning or Error. 

Details: 
MSIX create with MSIX Packaging Tool (Preview)
OS build: 17713.1000
Signtool.exe used from C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0



Highlighted

@Toms Knostenbergs sounds like you are using signtool to sign the package, is that correct? Can you please try to convert the package again using the MSIX Packaging Tool and add your test certificate in the last page of the wizard to have the tool sign the MSIX package? If you hit the same error please file a feedback hub problem from the error pop up so we can take a look at your logs.

Highlighted

I have the same issue.

 

My OS = 17728.1000

 

I used the MSIX package tool. I created a pfx cert with a password. The CN name matches the CN in the msix. You cannot add the cert at the end of the MSIX package tool because it does not prompt for the cert password.

 

When I then try to sign the appx package, I receive the same error 0x80070032.

 

Please help!

 

I have the same issue with self-signed certificate (0x80070032).  The name is valid, and I can use the cert to sign an exe without issue.  I am using 17134 version of signtool, and have tried both the x86 and x64 version of signtool.

 

Event operational log generates a single information entry (Event 181 - The reader was created successfully without manifest validation). 

 

Enabling debug log produced single event of Event 0 (ErrorCode 15003 with EventPayload of all zeros))

Highlighted

@TIMOTHY MANGAN and @Stephen Morgan, looks like you are using the RS4 version of signtool. Please use the latest from the insider preview SDK:

https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewSDK

Highlighted

Hi all,

I did quite some testing with different types of certificates. What I found out is:

- the MSIX Packaging Tool has its own Version of signtool boxed (I guess to remove the SDK as prerequisite

- Certificate passwords really make it break

 

What my solution was (beside to query for the most updated Insider SDK) to just copy out the Inboxed Signtool and run it on the commandline:

location on my box: 

"C:\Program Files\WindowsApps\Microsoft.MsixPackagingTool_1.2018.725.0_x64__8wekyb3d8bbwe\signtool.exe"

 

signtool.exe sign /a /v /fd SHA256 /f "C:\MyCodeSignCustom.pfx" /p "SuperSecurePassword" "C:\MSIXPackage.appx"

 

 

Kind regards

/Johannes

Highlighted
Johanes - Thanks for that. I was assuming from the "documentation" that I needed the SDK copy of signtool and never looked inside the packaging tool for a copy.

This isn't the best way to go about this, but at least I can finally test!
Highlighted

We are working to get a new version of the tool out to resolve the password issue.  As the thread mentions a new signtool is needed to sign MSIX files.  Installing the SDK will offer this and we package it in the app so the SDK is not a requirement to use the MSIX Packaging Tool.

Highlighted

@Johannes

 

Thank you very much. This worked for me.

 

I used the command line to copy out the signtool.exe file, then ran my signtool command and voila, my msix package was able to be signed. I still needed to turn on "Sideload apps" from the "for Developers" page under Windows "Settings", but that makes sense since I am not installing from the Store.

Highlighted

Hi Timothy,

exactly this is what my solution should provide - final (production) solution of course should be something within the Tool. But for now - it let MSIX rock on my box.

Enjoy