MSIX Packageing Tool / signtool certificate issues

I signed my code. This is what I did for my package manifest file. So the subject name of the certificate is like this:
CN=ABCD, INC. , O=ABCD, INC., L=Kerrville, ST=Texas, C=US
In Package.manifest file I added like this :

Publisher="CN="ABCD, INC.", O="ABCD, INC.", L=Kerrville, S=Texas, C=US"

I wrapped the attributes having comma in quotes and escaped them . I aslo changed ST to S in package.manifest file. This worked.

TIMOTHY_MANGAN, I tried building the application by omitting O and CN, and then also i got error. It seems ST='Texas' caused. ST is not supported
Reason: 'C=US, ST=Texas, L=Kerrville' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'. The attribute 'Publisher' with value 'C=US, ST=Texas, L=Kerrville' failed to parse.

 When I got the certificate from Digicert ,it was like this

vmaravind07  

I no longer have the comma in the company name, but I remember that when I did, I solved it using an alternate form for the comma. Perhaps Bogdan Mitrache remembers what it was since he told me.

Has anyone found a solution to this? I get the same error when i try to build react native windows app. My certificate also contains special character like this: O=A Company, INC.,  CN=A Company, INC.

Hi Mo_Velayati 

If the certificate subject is
SERIALNUMBER=123456-78, C=US, ST=STATE, L=CITY, STREET=Address more address, O=A Company, INC.,  CN=A Company, INC.

then this Publisher should work:

Publisher="SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, O=&quot;A Company, INC.&quot;, CN=&quot;A Company, INC.&quot;"

I just tested signing a package with that exact publisher and a self signed certificate. Things to note:

• The order of the fields is the exact same (without CN at the start)
• ST becomes S
• The O and CN fields are quoted because they include commas

If that doesn't work, you can try using signtool.exe for finding the error (even if you end up using AzureSignTool after figuring it out). There are two things that you can do with signtool for debugging:

• Add the /debug flag. That may help if the issue is with the certificate (e.g. not enabled for signing or expired).
• Set the APPXSIP_LOG environment variable to a value from 1 to 3 depending on how much logging you want. This would tell you if there is a mismatch between the publisher and the certificate subject, and what is the correct value. For example
  

  ERROR: [Appx::Packaging::SipFunctionHelper::VerifyManifestPublisherName] failed because signing certificate subject name (SERIALNUMBER=... <cert's subject>) does not match package manifest publisher (CN=... <package's publisher>)​

You may be able to do something similar with AzureSignTool but I'm not familiar with it.

To do this you would need to have the certificate available in your machine, not in Azure Key Vault (only to debug). You can download your certificate or create a self signed certificate with the same subject. See: Create a certificate for package signing - MSIX | Microsoft Docs. 

SahibiMiranshah 

Thanks for reply, Sahibi!

I understand that the publisher must match the subject. My question or I guess my issue is that I don't know how I should format the publisher in appxmanifest if there are special characters (comma in my case) in it. When I look at my signing cert subject I see this:

SERIALNUMBER=123456-78, C=US, ST=STATE, L=CITY, STREET=Address more address, O=A Company, INC.,  CN=A Company, INC.
Notice that there are commas in O and CN values. How would you suggest I should format this in appxmanifest for the Publisher value?

Best,

Mo

Mo_Velayati 
The subject string in a cert must exactly match the string in the appxmanifest file. There is no workaround for this restriction.
You could either update the appxmanifest Publisher field, for example, 

SahibiMiranshah 

Hi Sahibi,

My cert is on azure key vault and I'm trying to sign directly from the key vault instead of downloading or importing the certificate. That's why I'm use AzureSignTool. 

I tried the powershell scripts you mentioned and all I get is a simple string for the subject name. It doesn't include any of the OIDs meaning it's not in the correct format. So if the publisher for my cert is :
Publisher="O=A Company, INC., SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, CN=A Company, INC."

it would print: A Company, INC.

I am mostly interested to know what I should choose as my Publisher Identity in Packager.appxmanifest so it exactly matches the subject of the certificate. So far I have tried almost every possible way formatting but still no luck. 

I the link you posted here I saw that if there are special characters such as comma in the subject, they have to be inside double quotes. I have tried that as well but I still get the same error saying that it doesn't match the subject.

Any thoughts?

TIMOTHY_MANGAN 
The publisher string entered by you needs to match exactly the string extracted from the cert. This Windows API function documentation lists some of the recommendations in the Remarks section https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks 

To extract the right publisher from your cert subject, you could use the MSIX Packaging Tool's editor to sign a package and see what it puts in the manifest.
Or you could use the following C# code or Powershell commands:

X509Certificate cert = new X509Certificate();
cert.Import(certificatePath, certificatePassword, X509KeyStorageFlags.DefaultKeySet);
string publisher = cert.Subject;

(New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 cert.pfx).Subject

Mo_Velayati I am not signing via Azure.  Ultimately they must use a version of signtool, and I suppose it is possible that this might not be the latest.

Your #2 image looks correct to me for the Publisher field.  Assuming you have access to the files from the Ci/CD process, a way to troubleshoot may be to take your unsigned package to a Windows VM and manually signing via the latest signtool and your cert.

Outside of that you'll need Microsoft help.  Maybe tagging jvintzel will get him to forward the thread to someone that can help.

TIMOTHY_MANGAN 

I looked at the signing cert in certmgr just to figure out the order of the attributes and updated Package.appxmanifest based on that and still no luck.

In the attachments you can see that I tried the publisher attribute two different ways and none of them worked. I'm starting to think that there's something wrong with the AzureSignTool. Are you using SignTool.exe with azure key vault? is that possible? My signing cert is in azure key vault. That's why I'm using AzureSignTool instead of SignTool.

Mo

Mo_Velayati I am using signtool.exe from the windows SDK from a script directly.

Attached image is an example of the identity portion of a manifest I recently signed, and another of the subject field as seen in the certificate manager (NOTE: certmgr doesn't display it in the correct form as in the cert file, but you can see the order).

Commas were not actually my issue, including the complete certificate subject in the Publisher field was. 

The reference schema (ManifestTypes) for the manifest file is what imposes restrictions on what what is allowed in the Publisher field, and that is where the requirement that it start with CN= comes from.  SignTool is what imposes the matching between this publisher field and the subject field of the cert.

TIMOTHY_MANGAN 

Thanks Tim,

I'll try changing the order.

What tool do you use to sign your msix package?

And in the earlier reply where you mentioned that the key was to mention the string in quotation marks, what do you mean by the string? Do you mean the entire publisher value or the value for CN?

-Mo

Mo_Velayati The big issue I see with your example is that the Publisher field must start with the characters "CN=", and as that field must exactly match the subject field on the certificate, there probably is no way to sign with that cert.

That said, I'm not working with the Azure signing service and haven't since they changed it.  But likely the underlying cause of your issue is the order of things in the cert.

Tim

TIMOTHY_MANGAN 

Hi Timothy,

I am using AzureSignTool and although I have tried everything with regards to the Publisher attribute, I still can't get it to work.

To give you more details:

I have "," characters in CN and O so the publisher attribute for me is something like this:
Publisher="O=A Company, INC., SERIALNUMBER=123456-78, C=US, S=STATE, L=CITY, STREET=Address more address, CN=A Company, INC."

I have tried putting the CN and O values in doable quotes, triple quotes, single quotes but nothing worked. Every time it's either the Package.appxmanifest file that complains about the value of the publisher not following the pattern or it's the azure pipeline that says the publisher doesn't match the signing cert.

The other issue is that in the signing cert, the state is written like ST=STATE but my package.appxmanifest pattern only accepts S=STATE.

I'm not sure what is exactly causing this issue but I've been trying for almost 3 weeks and nothing has worked so far.

Do you have any ideas?