MSIX package signing issue with certificate installed in a certificate store

Copper Contributor

I created a MSIX file and later signing the package with this command 

signtool sign /fd SHA256 /v /sm /s My /n "ABC Corporation" /t http://timestamp.digicert.com file.msix

But signing failed with this error:

Sign tool Error: This file format cannot be signed because it is not recognized. 

 

  1. Host using to sign the package: Windows Server 2012
  2. Our AD team installed the certificate in certificate store of the host I am using to sign.
  3. I installed Windows 10 SDK and added signtool 'x86' location "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86" to path variable
  4. For Code signing we are using DigiCert 

Appreciate any suggestions to resolve this issue

8 Replies

@Sri-Boddupalli  While I'm not sure about the syntax (I normally use an external pfx file instead of the certificate store), so I'm not sure of syntax for getting from the store. But consider these ideas:

  • The subject name in the certificate must exactly match the Publisher field in the AppXManifest file.  This is in the form of the string "CN=CompanyName".  View your cert in the certificate store and make sure it matches by changing your manifest.
  • Syntax on the timestamp looks wrong to me, but I don't use digicert.  Try leaving that off for a test.
  • Possibly your company added the cert to the wrong section of the store. Check signtool documentation and look into which store it was installed to.  Usually we want the "Root Certificate Store". 

Thanks @TIMOTHY_MANGAN  appreciate your input

 

Subject Name matched with Manifest file CN name verified it. Just to reassure I exported the certificate installed by our team in the store as a .cer file and imported it during the MSIX pacakging process. Which do not sign the package but automatically generates the correct publisher information. 

 

Also I tried using the Digicert Utility tool to sign the package(GUI method) and getting below error. Is this a generic error message or specific to my scenario not sure. 

 

Sri-Boddupalli_0-1594304645379.png

 

One thing I noticed is it does not have .MSIX file in the drop down selection of file type we are signing shown in below. Does this mean our code signing certificate is not supporting MSIX file type? after all the error message we got while using the signtool was "The file format cannot be signed because it is not recognized"

 

Sri-Boddupalli_1-1594304779836.png

 

I@Sri-Boddupalli 

If the Digicert utility doesn't recognise .msix, you can try renaming the file to .appx and then sign it.  Ultimately I assume this utility is calling the Microsoft signtool.exe utility to perform the signing.

 

There is no difference on the file extension; the difference between a UWP app and a MSIX one is internal to the manifest file rather than the file name extension. 

@TIMOTHY_MANGAN 

 

You might also just leave the timestamp off for a test and make sure that it is not the cause.

@Sri-Boddupalli 

You could perform some steps to eliminate a few things:

 

(1) Start with testing if the certificate you have is valid for code signing. Are you able to sign any executable with it? (download 7-zip EXE from the official website and try to sign it). If you get an error at this point, then there is something probably wrong with your certificate. After all, one of the error codes your reported was 

 

TRUST_E_SUBJECT_FORM_UNKNOWN 0x800B0003

The form specified for the subject is not one supported or known by the specified trust provider.

 

(2) If signing works for EXE, then it should (with the version you have) work for MSIX as well. You should try to validate your MSIX then - how did you create it? Can you use makeappx.exe to unpack it, and then pack it again? It should do some semantic validation to ensure that the manifest is correct and some values are in place.

 

(3) Try to create a new self-signed certificate and sign the MSIX in question, with the SDK you have. This can also exclude any potential issues with MSIX file.

 

You can use my freeware tool MSIX Hero (msixhero.net) for points (2) and (3), or use the following links and resources explaining how to perform them manually:

 

This issue looks to me more related to your package rather then the certificate (As the message states: Sign tool Error: This file format cannot be signed because it is not recognized.). I had this issue once and in the end recreating the package with fresh binaries.

You can try building a very simple MSIX/APPX package and sign it. That way you can make sure that it is really not about the certificate.

Thank you guys for your valuable suggestions, appreciate your time on this. 

 

  1. So I ended up calling the DigiCert support and asked the first question whether they support signing MSIX packages and do they have any document which confirms that. Unfortunately they don't have any document which states all the file formats they support code signing
  2. Then I ran the Signtool in debug mode as @TIMOTHY_MANGAN suggested in here https://techcommunity.microsoft.com/t5/msix-packaging-and-tools/msix-packageing-tool-signtool-certif... and ended up finding another article related to error I was getting. 
  3.  As per this thread https://www.advancedinstaller.com/forums/viewtopic.php?t=36104 I uninstalled the Windows 10 SDK i had in the machine and re-installed the latest version of Windows 10 SDK, version 2004 (10.0.19041.0) from here https://developer.microsoft.com/en-us/windows/downloads/sdk-archive/
  4. Then as @TIMOTHY_MANGAN  suggested above started signing a simple MSI file just to verify nothing wrong with the Certificate and it worked good. Later I signed a custom .EXE we developed and signing went good. So I confirmed nothing wrong with the certificate I am using. 
  5. Finally I signed the MSIX pacakge I created using this command and it worked without any issues. 

    1) Change the Path to Signtool Location below
    C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64

    2) Sign the Package using this command

 

.\signtool.exe sign /v /sm /s My /n "ABC Corporation" /fd SHA256 /t http://timestamp.digicert.com "<FileLocation>\File.msix"

 

It was so frustrating to fight with AD team on getting the .PFX file with Password. I understand their security concerns but without that we are pretty much helpless. @John Vintzel @ShakersMSFT Any better explanation I can come up with, if our AD team ask why exactly we need .PFX file instead of installing the certificate in cert store and using that? OR if you could develop a Signtool GUI utility that would be wonderful 

I was having the same issue and the note about using the sign tool from the windows kits folder worked. I'm guessing it is using the manifest and\or some dlls in that directory and that's why it can handle the msix format.

Anyway, Thanks!