Sign the MSIX using pfx certificate using the command line version of MSIX Packaging Tool

%3CLINGO-SUB%20id%3D%22lingo-sub-1666467%22%20slang%3D%22en-US%22%3ESign%20the%20MSIX%20using%20pfx%20certificate%20using%20the%20command%20line%20version%20of%20MSIX%20Packaging%20Tool%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1666467%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20create%20a%20signed%20version%20of%20my%20app%20using%20the%20GUI%20version%20of%20the%26nbsp%3BMSIX%20Packaging%20Tool.%20I%20can%20then%20use%20the%20template%20it%20outputs%20to%20create%20similar%20packages%20using%20the%20command%20line%20version.%20However%2C%20these%20packages%20are%20created%20unsigned.%20I%20am%20not%20using%20%22SigningInformation%22%20in%20the%20template%20XML%20as%20that%20one%20is%20for%26nbsp%3BDevice%20Guard%20signing%20only%20(according%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackaging-tool%2Fgenerate-template-file)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackaging-tool%2Fgenerate-template-file)%3C%2FA%3E.%20I%20need%20a%20way%20to%20specify%20my%20pfx%20certificate%2C%20password%20and%20the%20timestamp%20server%20while%20using%20the%20CLI%20version%2C%20just%20like%20I%20can%20do%20it%20in%20the%20GUI.%20How%20do%20I%20do%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1674865%22%20slang%3D%22en-US%22%3ERe%3A%20Sign%20the%20MSIX%20using%20pfx%20certificate%20using%20the%20command%20line%20version%20of%20MSIX%20Packaging%20Tool%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1674865%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793507%22%20target%3D%22_blank%22%3E%40ylexus%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EThe%20MSIX%20Packaging%20Tool%20does%20not%20support%20signing%20with%20.pfx%20certificates%20when%20using%20template%20files%20from%20the%20command%20line.%20You%20can%20use%20SignTool%20to%20sign%20your%20packages%20from%20the%20CLI%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackage%2Fsign-app-package-using-signtool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESign%20an%20app%20package%20using%20SignTool%20-%20MSIX%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1681176%22%20slang%3D%22en-US%22%3ERe%3A%20Sign%20the%20MSIX%20using%20pfx%20certificate%20using%20the%20command%20line%20version%20of%20MSIX%20Packaging%20Tool%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1681176%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F569046%22%20target%3D%22_blank%22%3E%40Luis_Chacon%3C%2FA%3E%26nbsp%3Bthanks.%20It%20looks%20like%20it's%20a%20hacky%20business%2C%20but%20eventually%20it%20worked.%3C%2FP%3E%3CP%3EI%20installed%20latest%20Windows%20SDK%2010%20but%20was%20getting%20the%20error%20below.%20Googling%20proved%20that's%20because%20the%20MSIX%20packing%20tool%20version%20was%20not%20compatible%20with%20signtool%20version.%20MSIX%20packaging%20tool%20has%20its%20own%20signtool.exe%20located%20in%26nbsp%3BC%3A%5CProgram%20Files%5CWindowsApps%5CMicrosoft.MsixPackagingTool_1.2020.709.0_x64__8wekyb3d8bbwe%5CSDK%2C%20but%20it%20had%20very%20strict%20permissions%20and%20I%20had%20to%20take%20ownership%20and%20add%20myself%20execute%20permissions%20on%20everything%20under%20that%20directory.%20After%20that%20it%20worked.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3E%22C%3A%5CProgram%20Files%20(x86)%5CWindows%20Kits%5C10%5Cbin%5Cx64%5Csigntool.exe%22%20sign%20%2Ffd%20SHA256%20%2Fsha1%20xxx%20%2Ftr%20http%3A%2F%2Ftimestamp.comodoca.com%20file.msix%0ADone%20Adding%20Additional%20Store%0ASignTool%20Error%3A%20An%20unexpected%20internal%20error%20has%20occurred.%0AError%20information%3A%20%22Error%3A%20SignerSign()%20failed.%22%20(-2146958839%2F0x80080209)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1784179%22%20slang%3D%22en-US%22%3ERe%3A%20Sign%20the%20MSIX%20using%20pfx%20certificate%20using%20the%20command%20line%20version%20of%20MSIX%20Packaging%20Tool%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1784179%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793507%22%20target%3D%22_blank%22%3E%40ylexus%3C%2FA%3E%26nbsp%3BFor%20anyone%20revisiting%20this%20topic%20in%20future%2C%20you%20can%20also%20use%20my%20freeware%20tool%20to%20do%20exactly%20what%20is%20needed%2C%20as%20documented%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsixhero.net%2Fdocumentation%2Fcommand-line-interface-cli-reference%2Fsign-msix-package-sign%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsixhero.net%2Fdocumentation%2Fcommand-line-interface-cli-reference%2Fsign-msix-package-sign%2F%3C%2FA%3E.%20Additional%20benefit%20is%20the%20automatic%20adjustment%20of%20the%20manifest%20file%2C%20so%20that%20the%20subject%20and%20the%20publisher%20name%20match.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I can create a signed version of my app using the GUI version of the MSIX Packaging Tool. I can then use the template it outputs to create similar packages using the command line version. However, these packages are created unsigned. I am not using "SigningInformation" in the template XML as that one is for Device Guard signing only (according to https://docs.microsoft.com/en-us/windows/msix/packaging-tool/generate-template-file). I need a way to specify my pfx certificate, password and the timestamp server while using the CLI version, just like I can do it in the GUI. How do I do that?

 

Thanks.

4 Replies

Hi @ylexus,

The MSIX Packaging Tool does not support signing with .pfx certificates when using template files from the command line. You can use SignTool to sign your packages from the CLI: Sign an app package using SignTool - MSIX | Microsoft Docs

@Luis_Chacon thanks. It looks like it's a hacky business, but eventually it worked.

I installed latest Windows SDK 10 but was getting the error below. Googling proved that's because the MSIX packing tool version was not compatible with signtool version. MSIX packaging tool has its own signtool.exe located in C:\Program Files\WindowsApps\Microsoft.MsixPackagingTool_1.2020.709.0_x64__8wekyb3d8bbwe\SDK, but it had very strict permissions and I had to take ownership and add myself execute permissions on everything under that directory. After that it worked.

"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd SHA256 /sha1 xxx /tr http://timestamp.comodoca.com file.msix
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)

 

@ylexus For anyone revisiting this topic in future, you can also use my freeware tool to do exactly what is needed, as documented here: https://msixhero.net/documentation/command-line-interface-cli-reference/sign-msix-package-sign/. Additional benefit is the automatic adjustment of the manifest file, so that the subject and the publisher name match.

@marcinotorowski If I use your tool for signing, will it solve the problem of using the same version of SignTool as used by the MSIX Packaging Tool that was used to create the MSIX in the first place, bypassing the need of finding the path to that signtool and hacking filesystem permissions?