Microsoft MSIX Packaging Tool does not notice timestamping issue (error 0x80096005)

%3CLINGO-SUB%20id%3D%22lingo-sub-1530069%22%20slang%3D%22en-US%22%3EMicrosoft%20MSIX%20Packaging%20Tool%20does%20not%20notice%20timestamping%20issue%20(error%200x80096005)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1530069%22%20slang%3D%22en-US%22%3E%3CP%3EToday%20the%20Comodoca%20timestamping%20service%20is%20experiencing%20an%20issue.%26nbsp%3B%20So%20if%20you%20are%20using%20them%20to%20sign%20packages%20from%20the%20command%20line%20the%20signtool%20command%20line%20indicates%20a%20failure%20of%200x80096005.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20configured%20in%20the%20MMPT%2C%20the%20MMPT%20does%20not%20detect%20this%20error%20and%20claims%20that%20the%20package%20is%20OK.%26nbsp%3B%20Apparently%2C%20the%20package%20is%20also%20OK%20enough%20that%20when%20you%20attempt%20to%20install%20the%20package%2C%20it%20is%20listed%20as%20%22valid%22%20in%20the%20AppInstaller%20UI%2C%20however%20attempting%20to%20install%20fails%20with%20the%20same%20error%20code.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20bad%20on%20the%20vendor%20timestamping%20service%2C%20%3CSTRONG%3Ebut%20also%20bad%20on%20the%20MMPT%20to%20not%20detect%20this%3C%2FSTRONG%3E.%26nbsp%3B%20Googling%20this%20code%20shows%20that%20this%20is%20not%20the%20first%20time%20this%20vendor%20had%20a%20problem%2C%20so%20I'd%20guess%20it%20also%20won't%20be%20the%20last.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532761%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20MSIX%20Packaging%20Tool%20does%20not%20notice%20timestamping%20issue%20(error%200x80096005)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532761%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146612%22%20target%3D%22_blank%22%3E%40TIMOTHY%20MANGAN%3C%2FA%3E%26nbsp%3BAs%20a%20follow-up%20to%20anyone%20finding%20this%20post...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhile%20the%20packaging%20tool%20should%20not%20hide%20the%20error%20and%20should%20be%20adjusted%3C%2FSTRONG%3E%2C%20the%20certificate%20vendor%20replied%20to%20my%20ticket%20with%20them%20with%20the%20following%20note.%20The%20ticketing%20system%20is%20routed%20through%20the%20company%20Sectigo%2C%20so%20perhaps%20there%20was%20an%20acquisition%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20contacting%20Sectigo%20Technical%20support.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20use%20the%20following%20signtool%20command%20%3A%3C%2FP%3E%0A%3CP%3Esigntool.exe%20sign%20%2Ff%20MyCert.pfx%20%2Fp%20%3CPFX%20password%3D%22%22%3E%20%2Ftr%20%3CA%20href%3D%22http%3A%2F%2Ftimestamp.sectigo.com%2Frfc3161%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Ftimestamp.sectigo.com%2Frfc3161%3C%2FA%3E%20%2Ffd%20sha256%20%2Ftd%20sha256%20%2Fas%20%2Fv%20filename.exe%3C%2FPFX%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1536880%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20MSIX%20Packaging%20Tool%20does%20not%20notice%20timestamping%20issue%20(error%200x80096005)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1536880%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146612%22%20target%3D%22_blank%22%3E%40TIMOTHY%20MANGAN%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20timestamping%20fails%20in%20any%20way%2C%20the%20tool%20should%20show%20a%20warning%20and%20sign%20without%20the%20timestamp.%20If%20you%20can%20share%20the%20logs%20from%20the%20packaging%20tool%20either%20here%20or%20by%20filing%20feedback%20it%20would%20help%20us%20to%20find%20what%2Fwhere%20the%20problem%20was.%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Today the Comodoca timestamping service is experiencing an issue.  So if you are using them to sign packages from the command line the signtool command line indicates a failure of 0x80096005.

 

If configured in the MMPT, the MMPT does not detect this error and claims that the package is OK.  Apparently, the package is also OK enough that when you attempt to install the package, it is listed as "valid" in the AppInstaller UI, however attempting to install fails with the same error code.

 

Yes, bad on the vendor timestamping service, but also bad on the MMPT to not detect this.  Googling this code shows that this is not the first time this vendor had a problem, so I'd guess it also won't be the last.

2 Replies

@TIMOTHY MANGAN As a follow-up to anyone finding this post...

 

While the packaging tool should not hide the error and should be adjusted, the certificate vendor replied to my ticket with them with the following note. The ticketing system is routed through the company Sectigo, so perhaps there was an acquisition:

 

Thank you for contacting Sectigo Technical support.

 

Please use the following signtool command :

signtool.exe sign /f MyCert.pfx /p <PFX password> /tr http://timestamp.sectigo.com/rfc3161 /fd sha256 /td sha256 /as /v filename.exe

@TIMOTHY MANGAN 

If the timestamping fails in any way, the tool should show a warning and sign without the timestamp. If you can share the logs from the packaging tool either here or by filing feedback it would help us to find what/where the problem was.