MSIX package signing issue with certificate installed in a certificate store

%3CLINGO-SUB%20id%3D%22lingo-sub-1499957%22%20slang%3D%22en-US%22%3EMSIX%20package%20signing%20issue%20with%20certificate%20installed%20in%20a%20certificate%20store%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499957%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20MSIX%20file%20and%20later%20signing%20the%20package%20with%20this%20command%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Esigntool%20sign%20%2Ffd%20SHA256%20%2Fv%20%2Fsm%20%2Fs%20My%20%2Fn%20%22ABC%20Corporation%22%20%2Ft%20http%3A%2F%2Ftimestamp.digicert.com%20file.msix%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20signing%20failed%20with%20this%20error%3A%3C%2FP%3E%3CP%3ESign%20tool%20Error%3A%20This%20file%20format%20cannot%20be%20signed%20because%20it%20is%20not%20recognized.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EHost%20using%20to%20sign%20the%20package%3A%20Windows%20Server%202012%3C%2FLI%3E%3CLI%3EOur%20AD%20team%20installed%20the%20certificate%20in%20certificate%20store%20of%20the%20host%20I%20am%20using%20to%20sign.%3C%2FLI%3E%3CLI%3EI%20installed%20Windows%2010%20SDK%20and%20added%20signtool%20'x86'%20location%20%22C%3A%5CProgram%20Files%20(x86)%5CWindows%20Kits%5C10%5Cbin%5C10.0.19041.0%5Cx86%22%20to%20path%20variable%3C%2FLI%3E%3CLI%3EFor%20Code%20signing%20we%20are%20using%20DigiCert%3C%2FLI%3E%3C%2FOL%3E%3CP%3EAppreciate%20any%20suggestions%20to%20resolve%20this%20issue%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1514802%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20package%20signing%20issue%20with%20certificate%20installed%20in%20a%20certificate%20store%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1514802%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346823%22%20target%3D%22_blank%22%3E%40Sri-Boddupalli%3C%2FA%3E%26nbsp%3BThis%20usually%20indicates%20an%20issue%20with%20the%20package%20(corrupted%20file%20etc.).%20You%20should%20get%20back%20to%20packaging%20and%20make%20the%20package%20%22simpler%22%20and%20see%20if%20signing%20works.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520012%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20package%20signing%20issue%20with%20certificate%20installed%20in%20a%20certificate%20store%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520012%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346823%22%20target%3D%22_blank%22%3E%40Sri-Boddupalli%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETry%20setting%20this%20registry%20key%3A%3C%2FP%3E%0A%3CP%3EUnder%20HKLM%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CAppxSIP%3B%26nbsp%3B%20set%20LogLevel%20as%20DWORD%20to%203%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERerun%20the%20Signtool%20Command%20and%20you%20should%20see%20additional%20logging%20that%20may%20be%20insightful%20to%20your%20problem.%3C%2FP%3E%0A%3CP%3EIf%20that%20does%20not%20help%2C%20please%20share%20the%20additional%20logging%20with%20us%20to%20review.%20As%20with%20any%20logs%20or%20data%20you%20share%2C%20please%20review%20it%20before%20hand%20for%20any%20personal%20or%20sensitive%20information%20that%20you%20would%20not%20want%20to%20share%20in%20a%20public%20forum.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3CBR%20%2F%3EJames%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522727%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20package%20signing%20issue%20with%20certificate%20installed%20in%20a%20certificate%20store%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522727%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346823%22%20target%3D%22_blank%22%3E%40Sri-Boddupalli%3C%2FA%3E%26nbsp%3Byou%20can%20try%20it%20with%20the%20pfx%20file%2C%20maybe%20it%20helps%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESignTool.exe%20sign%20%2Ffd%20SHA256%20%2Fa%20%2Ff%20devcert.pfx%20%2Fp%20%3CPWD%3E%20.%2Fabc.msix%3C%2FPWD%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1525060%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20package%20signing%20issue%20with%20certificate%20installed%20in%20a%20certificate%20store%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1525060%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20guys%20for%20your%20valuable%20suggestions%2C%20appreciate%20your%20time%20on%20this.%20This%20is%20a%20repeated%20post%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ESo%20I%20ended%20up%20calling%20the%20DigiCert%20support%20and%20asked%20the%20first%20question%20whether%20they%20support%20signing%20MSIX%20packages%20and%20do%20they%20have%20any%20document%20which%20confirms%20that.%20Unfortunately%20they%20don't%20have%20any%20document%20which%20states%20all%20the%20file%20formats%20they%20support%20code%20signing%3C%2FLI%3E%3CLI%3EThen%20I%20ran%20the%20Signtool%20in%20debug%20mode%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146612%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40TIMOTHY%20MANGAN%3C%2FA%3E%26nbsp%3Bsuggested%20in%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmsix-packaging-and-tools%2Fmsix-packageing-tool-signtool-certificate-issues%2Fm-p%2F224217%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmsix-packaging-and-tools%2Fmsix-packageing-tool-signtool-certif...%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20ended%20up%20finding%20another%20article%20related%20to%20error%20I%20was%20getting.%26nbsp%3B%3C%2FLI%3E%3CLI%3E%26nbsp%3BAs%20per%20this%20thread%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.advancedinstaller.com%2Fforums%2Fviewtopic.php%3Ft%3D36104%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.advancedinstaller.com%2Fforums%2Fviewtopic.php%3Ft%3D36104%3C%2FA%3E%26nbsp%3BI%20uninstalled%20the%20Windows%2010%20SDK%20i%20had%20in%20the%20machine%20and%20re-installed%20the%20latest%20version%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EWindows%26nbsp%3B10%20SDK%2C%20version%202004%20(10.0.19041.0)%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efrom%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fwindows%2Fdownloads%2Fsdk-archive%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fwindows%2Fdownloads%2Fsdk-archive%2F%3C%2FA%3E%3C%2FLI%3E%3CLI%3EThen%20as%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146612%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40TIMOTHY%20MANGAN%3C%2FA%3E%26nbsp%3B%20suggested%20above%20started%20signing%20a%20simple%20MSI%20file%20just%20to%20verify%20nothing%20wrong%20with%20the%20Certificate%20and%20it%20worked%20good.%20Later%20I%20signed%20a%20custom%20.EXE%20we%20developed%20and%20signing%20went%20good.%20So%20I%20confirmed%20nothing%20wrong%20with%20the%20certificate%20I%20am%20using.%26nbsp%3B%3C%2FLI%3E%3CLI%3EFinally%20I%20signed%20the%20MSIX%20pacakge%20I%20created%20using%20this%20command%20and%20it%20worked%20without%20any%20issues.%26nbsp%3B%3CP%3E1)%20Change%20the%20Path%20to%20Signtool%20Location%20below%3CBR%20%2F%3EC%3A%5CProgram%20Files%20(x86)%5CWindows%20Kits%5C10%5Cbin%5C10.0.19041.0%5Cx64%3C%2FP%3E%3CP%3E2)%20Sign%20the%20Package%20using%20this%20command%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E.%5Csigntool.exe%20sign%20%2Fv%20%2Fsm%20%2Fs%20My%20%2Fn%20%22ABC%20Corporation%22%20%2Ffd%20SHA256%20%2Ft%20http%3A%2F%2Ftimestamp.digicert.com%20%22%26lt%3BFileLocation%26gt%3B%5CFile.msix%22%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20was%20so%20frustrating%20to%20fight%20with%20AD%20team%20on%20getting%20the%20.PFX%20file%20with%20Password.%20I%20understand%20their%20security%20concerns%20but%20without%20that%20we%20are%20pretty%20much%20helpless.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11847%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40John%20Vintzel%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F145112%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Sharla%20Akers%3C%2FA%3E%26nbsp%3BAny%20better%20explanation%20I%20can%20come%20up%20with%2C%20if%20our%20AD%20team%20ask%20why%20exactly%20we%20need%20.PFX%20file%20instead%20of%20installing%20the%20certificate%20in%20cert%20store%20and%20using%20that%3F%20OR%20if%20you%20could%20develop%20a%20Signtool%20GUI%20utility%20that%20would%20be%20wonderful%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I created MSIX file and later signing the package with this command

signtool sign /fd SHA256 /v /sm /s My /n "ABC Corporation" /t http://timestamp.digicert.com file.msix

 

But signing failed with this error:

Sign tool Error: This file format cannot be signed because it is not recognized.

 

  1. Host using to sign the package: Windows Server 2012
  2. Our AD team installed the certificate in certificate store of the host I am using to sign.
  3. I installed Windows 10 SDK and added signtool 'x86' location "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86" to path variable
  4. For Code signing we are using DigiCert

Appreciate any suggestions to resolve this issue

4 Replies
Highlighted

@Sri-Boddupalli This usually indicates an issue with the package (corrupted file etc.). You should get back to packaging and make the package "simpler" and see if signing works.

Highlighted

Hi @Sri-Boddupalli ,

 

Try setting this registry key:

Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppxSIP;  set LogLevel as DWORD to 3

 

Rerun the Signtool Command and you should see additional logging that may be insightful to your problem.

If that does not help, please share the additional logging with us to review. As with any logs or data you share, please review it before hand for any personal or sensitive information that you would not want to share in a public forum.

 

Thanks!
James

Highlighted

@Sri-Boddupalli you can try it with the pfx file, maybe it helps;

 

SignTool.exe sign /fd SHA256 /a /f devcert.pfx /p <pwd> ./abc.msix

Highlighted

Thank you guys for your valuable suggestions, appreciate your time on this. This is a repeated post 

 

  1. So I ended up calling the DigiCert support and asked the first question whether they support signing MSIX packages and do they have any document which confirms that. Unfortunately they don't have any document which states all the file formats they support code signing
  2. Then I ran the Signtool in debug mode as @TIMOTHY MANGAN suggested in here https://techcommunity.microsoft.com/t5/msix-packaging-and-tools/msix-packageing-tool-signtool-certif... and ended up finding another article related to error I was getting. 
  3.  As per this thread https://www.advancedinstaller.com/forums/viewtopic.php?t=36104 I uninstalled the Windows 10 SDK i had in the machine and re-installed the latest version of Windows 10 SDK, version 2004 (10.0.19041.0) from here https://developer.microsoft.com/en-us/windows/downloads/sdk-archive/
  4. Then as @TIMOTHY MANGAN  suggested above started signing a simple MSI file just to verify nothing wrong with the Certificate and it worked good. Later I signed a custom .EXE we developed and signing went good. So I confirmed nothing wrong with the certificate I am using. 
  5. Finally I signed the MSIX pacakge I created using this command and it worked without any issues. 

    1) Change the Path to Signtool Location below
    C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64

    2) Sign the Package using this command

 

.\signtool.exe sign /v /sm /s My /n "ABC Corporation" /fd SHA256 /t http://timestamp.digicert.com "<FileLocation>\File.msix"

 

It was so frustrating to fight with AD team on getting the .PFX file with Password. I understand their security concerns but without that we are pretty much helpless. @John Vintzel @Sharla Akers Any better explanation I can come up with, if our AD team ask why exactly we need .PFX file instead of installing the certificate in cert store and using that? OR if you could develop a Signtool GUI utility that would be wonderful