Sep 14 2020 03:34 PM
I can create a signed version of my app using the GUI version of the MSIX Packaging Tool. I can then use the template it outputs to create similar packages using the command line version. However, these packages are created unsigned. I am not using "SigningInformation" in the template XML as that one is for Device Guard signing only (according to https://docs.microsoft.com/en-us/windows/msix/packaging-tool/generate-template-file). I need a way to specify my pfx certificate, password and the timestamp server while using the CLI version, just like I can do it in the GUI. How do I do that?
Thanks.
Sep 16 2020 11:40 AM
Hi @ylexus,
The MSIX Packaging Tool does not support signing with .pfx certificates when using template files from the command line. You can use SignTool to sign your packages from the CLI: Sign an app package using SignTool - MSIX | Microsoft Docs
Sep 17 2020 02:40 PM
@Chacon thanks. It looks like it's a hacky business, but eventually it worked.
I installed latest Windows SDK 10 but was getting the error below. Googling proved that's because the MSIX packing tool version was not compatible with signtool version. MSIX packaging tool has its own signtool.exe located in C:\Program Files\WindowsApps\Microsoft.MsixPackagingTool_1.2020.709.0_x64__8wekyb3d8bbwe\SDK, but it had very strict permissions and I had to take ownership and add myself execute permissions on everything under that directory. After that it worked.
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd SHA256 /sha1 xxx /tr http://timestamp.comodoca.com file.msix
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)
Oct 15 2020 08:26 AM
@ylexus For anyone revisiting this topic in future, you can also use my freeware tool to do exactly what is needed, as documented here: https://msixhero.net/documentation/command-line-interface-cli-reference/sign-msix-package-sign/. Additional benefit is the automatic adjustment of the manifest file, so that the subject and the publisher name match.
Oct 18 2020 09:09 AM
@marcinotorowski If I use your tool for signing, will it solve the problem of using the same version of SignTool as used by the MSIX Packaging Tool that was used to create the MSIX in the first place, bypassing the need of finding the path to that signtool and hacking filesystem permissions?