Sign the MSIX using pfx certificate using the command line version of MSIX Packaging Tool

%3CLINGO-SUB%20id%3D%22lingo-sub-1666467%22%20slang%3D%22en-US%22%3ESign%20the%20MSIX%20using%20pfx%20certificate%20using%20the%20command%20line%20version%20of%20MSIX%20Packaging%20Tool%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1666467%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20create%20a%20signed%20version%20of%20my%20app%20using%20the%20GUI%20version%20of%20the%26nbsp%3BMSIX%20Packaging%20Tool.%20I%20can%20then%20use%20the%20template%20it%20outputs%20to%20create%20similar%20packages%20using%20the%20command%20line%20version.%20However%2C%20these%20packages%20are%20created%20unsigned.%20I%20am%20not%20using%20%22SigningInformation%22%20in%20the%20template%20XML%20as%20that%20one%20is%20for%26nbsp%3BDevice%20Guard%20signing%20only%20(according%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackaging-tool%2Fgenerate-template-file)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackaging-tool%2Fgenerate-template-file)%3C%2FA%3E.%20I%20need%20a%20way%20to%20specify%20my%20pfx%20certificate%2C%20password%20and%20the%20timestamp%20server%20while%20using%20the%20CLI%20version%2C%20just%20like%20I%20can%20do%20it%20in%20the%20GUI.%20How%20do%20I%20do%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1674865%22%20slang%3D%22en-US%22%3ERe%3A%20Sign%20the%20MSIX%20using%20pfx%20certificate%20using%20the%20command%20line%20version%20of%20MSIX%20Packaging%20Tool%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1674865%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793507%22%20target%3D%22_blank%22%3E%40ylexus%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EThe%20MSIX%20Packaging%20Tool%20does%20not%20support%20signing%20with%20.pfx%20certificates%20when%20using%20template%20files%20from%20the%20command%20line.%20You%20can%20use%20SignTool%20to%20sign%20your%20packages%20from%20the%20CLI%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackage%2Fsign-app-package-using-signtool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESign%20an%20app%20package%20using%20SignTool%20-%20MSIX%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I can create a signed version of my app using the GUI version of the MSIX Packaging Tool. I can then use the template it outputs to create similar packages using the command line version. However, these packages are created unsigned. I am not using "SigningInformation" in the template XML as that one is for Device Guard signing only (according to https://docs.microsoft.com/en-us/windows/msix/packaging-tool/generate-template-file). I need a way to specify my pfx certificate, password and the timestamp server while using the CLI version, just like I can do it in the GUI. How do I do that?

 

Thanks.

2 Replies
Highlighted

Hi @ylexus,

The MSIX Packaging Tool does not support signing with .pfx certificates when using template files from the command line. You can use SignTool to sign your packages from the CLI: Sign an app package using SignTool - MSIX | Microsoft Docs

Highlighted

@Luis_Chacon thanks. It looks like it's a hacky business, but eventually it worked.

I installed latest Windows SDK 10 but was getting the error below. Googling proved that's because the MSIX packing tool version was not compatible with signtool version. MSIX packaging tool has its own signtool.exe located in C:\Program Files\WindowsApps\Microsoft.MsixPackagingTool_1.2020.709.0_x64__8wekyb3d8bbwe\SDK, but it had very strict permissions and I had to take ownership and add myself execute permissions on everything under that directory. After that it worked.

"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd SHA256 /sha1 xxx /tr http://timestamp.comodoca.com file.msix
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)