Forum Discussion
MSIX Packageing Tool / signtool certificate issues
1) I have a valid (paid for) code signing certificate from a well known CA that has a password so I can't use the in tool signing (which is something you should support!).
The 17134 SDK is present. So I pulled the command out of the log file and modified as follows (but with the proper password):
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\signtool.exe" sign /a /v /debug /fd SHA256 /f "C:\Users\Admin\Desktop\strongname.pfx" /p "xxxThePasswordxxx" "C:\Users\Admin\Desktop\TMEdit\Setup_TMEdit.msix"
Which fails. The relevant output being:
After expiry filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
Issued to: TMurgent Technologies, LLP
Issued by: COMODO RSA Code Signing CA
Expires: Mon Jun 21 19:59:59 2021
SHA1 hash: A5CD580A89C438FB9B87753BB05F383560EB366F
The following additional certificates will be attached:
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 19:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
25 Replies
- Bogdan MitracheIron ContributorHi Tim, According to MSFT docs comma (",") is a reserved character that must be escaped, as show in their examples from the linked article. It seems that using "\," is still not considered correct by the GUI of MSIX packaging tool, but it does not complain when using the hex value for comma, i.e. "CN=TMurgent Technologies \2C LLP". 
 I don't have a test certificate at hand with a command in the publisher name to fully test it, but according to their docs it should work.- Thanks Bogdan - I'll give that a try. - Escaping in the dialog box as Bogdan suggested does indeed work. - But the GUI of the tool should just accept the comma and escape it behind the scenes. - In addition, when there is documentation on all of this, the documentation should be clear about what to include in this field. There will be confusion on if OU= parts should be included. Just make it clear in the documentation, especially for people that don't deal in certificates regularly. 
 
 
- Johannes FreundorferCopper ContributorHi Thimothy, just to clarify: This is the structure of my PKI: CN=Johannes Freundorfer, OU=MyCustomOU, OU=MyOrg, DC=MyDomain, DC=dom Applied to your case: is "TMurgent Technologies, LLP" really your explicit Subject name (Including the "," character )? My current best guess is, that his can't match the schema.