Visual Studio 2019 16.11.5. WPF project .NET Framework 4.8. I can deploy via ClickOnce with a code signing certificate I purchased. When I add a Windows Application Packaging Project to my solution to create an MSIX and open the appxmanifest dialog, on the Packaging tab, I click "Choose Certificate..." and "Select from store...". The dialog says, "No certificate available". If I choose "Select from file...", choose the .pfx and enter the password, the dialog says, "The Manifest Desinger could not import the certificate. The certificate you selected is not valid for signing because it is either expired or has another issue. for more information see http://go.microsoft.com/fwlink/?LinkID=241478".
The certificate was purchased from SSL.com specifically for code signing and, as stated above, works for ClickOnce. The article above says this:
Validating Certificates
During packaging, Visual Studio validates the specified certificate in the following ways:
- Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.
- Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.
- Verifies the value of the Key Usage (KU) property, which must be either Unset or DigitalSignature.
- Verifies the existence of a private key exists.
- Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.
Inspecting the certificate through the certmgr mmc:
I don't see "Basic Constraints" in the certificate. Is that the problem? Do I have to specifically request this from SSL.com?
Enhanced Key Usage is set to "Code Signing (1.3.6.1.5.5.7.3.3)"
Key Usage is set to "Digital Signature (80)"
I'm not sure how to tell if a private key exists.
The certificate is active and not expired.
Please help. SSL.com swears we shouldn't need anything else. Self-signing is covered very well in documentation, but public certificates are barely mentioned.
Thank you,
Mike
@Mike_Yeager I am using signtool as a workaround for msix bundles (appinstaller format), like this:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /tr http://ts.ssl.com /td sha256 /a /f "path_toCertificate\certificate.pfx" /p ******** "PathToPackage\Package.msixbundle"
This works fine for msixbundle, and for individual msix packages, I am using MSIX Packaging Tool:
I do hope this gets resolved eventually though, because this adds an additional step in the build process. Probably should buy another certificate from a CA that includes Basic Constraints.