Apr 06 2021 08:42 AM
Our older code signing cert is about to expire so we're attempting to move the process to lean on our newer code signing process where the cert never leaves a particular server. This process at it's root relies on the PowerShell cmdlet 'Set-AuthenticodeSignature'.
Attempting to sign MSIX builds with the same parameters we use for scripts and exe's appears not to be working. I have verified the Certificate Subject matches the MSIX's publisher entry in the manifest file. The error returned is vague, so I'm not sure if the msix format is supported or if there's something else wrong here.
To clarify, we're not using the msix repackaging tool or any third party repackaging tool to sign the files.
Some basic's behind the commands we're using:
$MSIxToSign = "$PSScriptRoot\Application.msix"
$CSCert = Get-ChildItem Cert:\ -Recurse -ErrorAction SilentlyContinue -CodeSigningCert | Where-Object Thumbprint -eq 'OurThumbPrint' | Select-Object -First 1
$SignatureParams = @{
Certificate=$CSCert
IncludeChain='notroot'
TimestampServer='http://timestamp.digicert.com'
Force=$true
}
try {
$result = Set-AuthenticodeSignature -FilePath $MSIxToSign @SignatureParams -ErrorAction Stop
}
catch {
Write-error "Doh!!"
}
PS C:\Users\me> $result.Status
'UnknownError'
PS C:\Users\me> $result.StatusMessage
'The form specified for the subject is not one supported or known by the specified trust provider'
Other details:
Apr 06 2021 01:52 PM
Hi @Vanbogie1200, we recommend you use SignTool.exe to sign MSIX packages. You can find more information on this: Sign an app package using SignTool - MSIX | Microsoft Docs
Apr 08 2021 12:57 PM
Feb 10 2023 12:37 PM
@Vanbogie1200 Were you able to confirm that the PowerShell version is the root cause for this?