MSIX Packageing Tool / signtool certificate issues

MVP

1) I have a valid (paid for) code signing certificate from a well known CA that has a password so I can't use the in tool signing (which is something you should support!).

 

The 17134 SDK is present.  So I pulled the command out of the log file and modified as follows (but with the proper password):

 

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\signtool.exe" sign /a /v /debug /fd SHA256 /f "C:\Users\Admin\Desktop\strongname.pfx" /p "xxxThePasswordxxx" "C:\Users\Admin\Desktop\TMEdit\Setup_TMEdit.msix"

 

Which fails.  The relevant output being:

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: TMurgent Technologies, LLP
    Issued by: COMODO RSA Code Signing CA
    Expires:   Mon Jun 21 19:59:59 2021
    SHA1 hash: A5CD580A89C438FB9B87753BB05F383560EB366F

The following additional certificates will be attached:
    Issued to: COMODO RSA Code Signing CA
    Issued by: COMODO RSA Certification Authority
    Expires:   Mon May 08 19:59:59 2028
    SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
 
#2 Reading up on this we get to cause of issue number 2:  The name of the publisher in CN form in the manifest (input from the MSIX Manifest tool) must exactly match that of the certificate:
 
Inside the certificate,  The publisher name is
          CN=TMurgent Technologies, LLP
which, unfortunately, is the legal name of the entity so that isn't changing!
 
The MSIX Package Tool does not allow a comma in the input field. 
Capture.PNG

 

 

20 Replies

Hi Thimothy,

 

just to clarify:

This is the structure of my PKI:

CN=Johannes Freundorfer, OU=MyCustomOU, OU=MyOrg, DC=MyDomain, DC=dom

 

Applied to your case:

is "TMurgent Technologies, LLP" really your explicit Subject name (Including the "," character )?

 

My current best guess is, that his can't match the schema.

 

 

 

 

Hi Tim,

 

According to MSFT docs comma (",") is a reserved character that must be escaped, as show in their examples from the linked article.

 

It seems that using "\," is still not considered correct by the GUI of MSIX packaging tool, but it does not complain when using the hex value for comma, i.e. "CN=TMurgent Technologies \2C LLP".

I don't have a test certificate at hand with a command in the publisher name to fully test it, but according to their docs it should work.

Thanks Bogdan - I'll give that a try.

Escaping in the dialog box as Bogdan suggested does indeed work.

 

But the GUI of the tool should just accept the comma and escape it behind the scenes. 

 

In addition, when there is documentation on all of this, the documentation should be clear about what to include in this field.  There will be confusion on if OU= parts should be included.  Just make it clear in the documentation, especially for people that don't deal in certificates regularly.

I spoke too soon...

 

Entering the escape works to get past the UI dialog and makes a package if you don't sign it. The AppXManifest ends up with the \2C in the publishing field, but then the signtool errors (8007000b) against it.  I'm not sure if the fault on that is the PackagingTool or signtool.

 

I would think that the least confusing solution for everyone is to let the PackagingTool accept the comma (and other escape-worthy characters) and place them in the Publishing field as is, and then fix the signtool to understand and escape if necessary.

 

Of course the best solution might be to let me point to the certificate earlier in the PackagingTool and have it extract what it needs rather than allow us to mess this all up. Probably still need to fix signtool, but the more of this that can be automated the better.

@TIMOTHY MANGAN 

 

Hi Timothy,

 

Did you find a solution to this issue?

I'm having the same problem.

 

Best,

Mo

@Mo_Velayati I am using a cert without a comma in the ID field.  Since I don't have to use my public CA code signing cert to upload to the Microsoft Store, a self-signed cert is OK for internal work. 

 

Eventually, I'll have to solve this if I want to host MSIX package installers on my website, but for now those are just MSIs. So I haven't looked at this to see if it was addressed in the tooling.

@TIMOTHY MANGAN 

 

Thanks Timothy,

 

I am very surprised and there is no solution for this issue. I need to ask for a new signing cert with no commas in the subject.

@Mo_Velayati 

I have found that, at least on newer Packaging Tool and newer OSs, it is now possible to sign with this certificate.  The key was to include the string in quotation marks, but also to include the entire subject line, and not just the CN= portion of it. 

 

It was not necessary to replace the comma via \2c or , syntax (in fact these don't work).

@TIMOTHY MANGAN 

 

Hi Timothy,

 

I am using AzureSignTool and although I have tried everything with regards to the Publisher attribute, I still can't get it to work.

 

To give you more details:

I have "," characters in CN and O so the publisher attribute for me is something like this:
Publisher="O=A Company, INC., SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, CN=A Company, INC."

 

I have tried putting the CN and O values in doable quotes, triple quotes, single quotes but nothing worked. Every time it's either the Package.appxmanifest file that complains about the value of the publisher not following the pattern or it's the azure pipeline that says the publisher doesn't match the signing cert.

 

The other issue is that in the signing cert, the state is written like ST=STATE but my package.appxmanifest pattern only accepts S=STATE.

 

I'm not sure what is exactly causing this issue but I've been trying for almost 3 weeks and nothing has worked so far.

 

Do you have any ideas?

@Mo_Velayati The big issue I see with your example is that the Publisher field must start with the characters "CN=", and as that field must exactly match the subject field on the certificate, there probably is no way to sign with that cert.

 

That said, I'm not working with the Azure signing service and haven't since they changed it.  But likely the underlying cause of your issue is the order of things in the cert.

 

Tim

@TIMOTHY MANGAN 

 

Thanks Tim,

 

I'll try changing the order.

What tool do you use to sign your msix package?

And in the earlier reply where you mentioned that the key was to mention the string in quotation marks, what do you mean by the string? Do you mean the entire publisher value or the value for CN?

 

-Mo

@Mo_Velayati I am using signtool.exe from the windows SDK from a script directly.

 

Attached image is an example of the identity portion of a manifest I recently signed, and another of the subject field as seen in the certificate manager (NOTE: certmgr doesn't display it in the correct form as in the cert file, but you can see the order).

 

Commas were not actually my issue, including the complete certificate subject in the Publisher field was. 

The reference schema (ManifestTypes) for the manifest file is what imposes restrictions on what what is allowed in the Publisher field, and that is where the requirement that it start with CN= comes from.  SignTool is what imposes the matching between this publisher field and the subject field of the cert.

 

Sign.PNGCert.PNG

 

@TIMOTHY MANGAN 

 

I looked at the signing cert in certmgr just to figure out the order of the attributes and updated Package.appxmanifest based on that and still no luck.

 

In the attachments you can see that I tried the publisher attribute two different ways and none of them worked. I'm starting to think that there's something wrong with the AzureSignTool. Are you using SignTool.exe with azure key vault? is that possible? My signing cert is in azure key vault. That's why I'm using AzureSignTool instead of SignTool.

 

Mo

 

 

@Mo_Velayati I am not signing via Azure.  Ultimately they must use a version of signtool, and I suppose it is possible that this might not be the latest.

 

Your #2 image looks correct to me for the Publisher field.  Assuming you have access to the files from the Ci/CD process, a way to troubleshoot may be to take your unsigned package to a Windows VM and manually signing via the latest signtool and your cert.

 

Outside of that you'll need Microsoft help.  Maybe tagging @John Vintzel will get him to forward the thread to someone that can help.

@TIMOTHY MANGAN 
The publisher string entered by you needs to match exactly the string extracted from the cert. This Windows API function documentation lists some of the recommendations in the Remarks section https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks 

To extract the right publisher from your cert subject, you could use the MSIX Packaging Tool's editor to sign a package and see what it puts in the manifest.
Or you could use the following C# code or Powershell commands:

X509Certificate cert = new X509Certificate();
cert.Import(certificatePath, certificatePassword, X509KeyStorageFlags.DefaultKeySet);
string publisher = cert.Subject;

 

(New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 cert.pfx).Subject

Replace cert.pfx with your cert name. If it is password protected, use cert.pfx,password.

Let us know if this helps.

@SahibiMiranshah 

 

Hi Sahibi,

 

My cert is on azure key vault and I'm trying to sign directly from the key vault instead of downloading or importing the certificate. That's why I'm use AzureSignTool. 

I tried the powershell scripts you mentioned and all I get is a simple string for the subject name. It doesn't include any of the OIDs meaning it's not in the correct format. So if the publisher for my cert is :
Publisher="O=A Company, INC., SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, CN=A Company, INC."

 

it would print: A Company, INC.

 

I am mostly interested to know what I should choose as my Publisher Identity in Packager.appxmanifest so it exactly matches the subject of the certificate. So far I have tried almost every possible way formatting but still no luck. 

 

I the link you posted here I saw that if there are special characters such as comma in the subject, they have to be inside double quotes. I have tried that as well but I still get the same error saying that it doesn't match the subject.

 

Any thoughts?

@Mo_Velayati 
The subject string in a cert must exactly match the string in the appxmanifest file. There is no workaround for this restriction.
You could either update the appxmanifest Publisher field, for example, 

Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
or acquire a new cert to match the Publisher in the appxmanifest file if you cannot change the appxmanifest.

@SahibiMiranshah 

 

Thanks for reply, Sahibi!

 

I understand that the publisher must match the subject. My question or I guess my issue is that I don't know how I should format the publisher in appxmanifest if there are special characters (comma in my case) in it. When I look at my signing cert subject I see this:

SERIALNUMBER=123456-78, C=US, ST=STATE, L=CITY, STREET=Address more address, O=A Company, INC.,  CN=A Company, INC.
Notice that there are commas in O and CN values. How would you suggest I should format this in appxmanifest for the Publisher value?

 

Best,

Mo