Appxmanifest Identity Publisher contains ST=Oregon instead of S=Oregon

Copper Contributor

I am trying to use the 10.0.19041.0 makeappx.exe using a certificate I can not change.  The issue is that the publisher subject lines contains ST=Oregon instead of S=Oregon and I get the following error:

MakeAppx : error: Error info: error C00CE169: App manifest validation error: The app manifest must be valid as per schema: Line 6, Column 45, Reason: 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'.
The attribute 'Publisher' with value 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' failed to parse.

If I set S=Oregon it packages fine. However, it then cannot be signed because the subject line in the certificate has ST=Oregon and it doesn't match. Is there a way to get around this other then getting a new certificate created? 

thanks

9 Replies

Hi @dmondou 

 

Can you try passing in the /nv flag to MakeAppx when packaging. This should skip semantic validation. You'll have to verify that your package installs successfully after it's created.

 

Cheers,

Tanaka

 

 

Hello @Tanaka_Jimha ,

With the /nv flag it does try to package up the files but then throws the following error:


MakeAppx : error: Error info: error C00CE169: App manifest validation error: The app manifest must be valid as per schema: Line 6, Column 45, Reason: 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'.
The attribute 'Publisher' with value 'C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc' failed to parse.

 

Without the /nv flag it doesn't try to package anything it just throws the error right away.

Thanks,
David

@dmondou This seems to be a possible bug in regexp validation of makeappx.exe. According to RFC 4519, ST should be a valid token (RFC 4519 - Lightweight Directory Access Protocol (LDAP): Schema for User Applications (ietf.org)).

 

Now while this does not help with the original problem, here is a weird thing.

I tried to test it myself, and tried to first create a test code signing certificate using your subject name. Invoking the following two commands:

 

 

$certificate = New-SelfSignedCertificate -Type Custom -KeyUsage DigitalSignature -Subject "C=US, ST=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc" -FriendlyName "AcmeTest" -CertStoreLocation 'Cert:\CurrentUser\my';

(Get-ChildItem -path "Cert:\CurrentUser\my" | ? { $_.Subject.IndexOf("Oregon") -ne -1 }).Subject

 

Seems to output:

C=US, S=Oregon, L=Portland, O=Acme Inc, CN=Acme Inc

 

The same if you use makecert.exe, ST gets somehow replaced with S. No idea why, but seems to partially explain the choice of the regexp used by makeappx.exe.

 

Hello @Tanaka_Jimha,

Is there an update on this issue? as it is a blocker for us in trying to deploy our app.

 

Thanks,

 

David

Thanks for digging further into this.

Hi @dmondou 

 

Did you confirm that signing fails when you set S=Oregon in the manifest? I chatted with the team and they said the validation uses this CertNameToStr function - CertNameToStrA function (wincrypt.h) - Win32 apps | Microsoft Docs and it says

 

"The string representation follows the distinguished name specifications in RFC 1779 except for the deviations described in the following list:

  • The X.500 key name for stateOrProvinceName (2.5.4.8) OID is "S". This value is different from the RFC 1779 X.500 key name ("ST"). "

Unfortunately it looks like ST=Oregon will not work, and you'll need a subject name with S=Oregon.

Hi @Tanaka_Jimha ,

Using S=Oregon does work, however our certificate is through Digicert and we discussed with them or issuing a cert with S=Oregon and they won't do it. Any chance of getting ST=Oregon changed in MSIX?

Thanks,

David  

Hi @dmondou ,

 

Did signing fail with ST=Oregon?

I've added this request to our backlog, so that using ST=Oregon would be supported by default. I'm sorry it doesn't work currently and it's causing issues for you.

 

Thanks,

Tanaka

@Tanaka_Jimha 

 

Signing does fail with ST=Oregon

Thanks,

 

David