Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Signtool cannot sign msix file produced by dotnet publish

Copper Contributor

Used dotnet publish to generate a msix package (from Blazor MAUI project). During the process, dotnet has signed the msix file using our EV certificate, but it did not time-stamp it. So we’ve decided to re-sign it using signtool from Win SDK latest version 10.0.22621.0. However, the signtool reports an error:


SignTool Error: This file format cannot be signed because it is not recognized.


Using the same options to sign a regular msi file (from another project) produces no error.

Here is the complete command line used to sign both msix and msi (with the /sha1 thumbprint truncated for privacy):


“C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe” sign /a /sha1 e392… /tr /fd sha256 /td sha256 /d “test” /du “Q:\test-x64.msix”

4 Replies
Please check the event log (Microsoft\Windows\AppXPackagingOM for example) for possible detail error messages.
Checked the logs, did not see anything of relevance there.

I just tied it again with a fresh new .NET MAUI Blazor project, generated by Visual Studio, and used the Visual Studio Publish command (instead of dotnet publish), and the result was the same: signtool could not sign the MSIX file it produced. I believe it's a problem with signtool.

Hi @AndreiBel 
To diagnose this issue accurately, please attach the logs or share the error code that the SignTool is generating. 
While signing an MSI and an MSIX package share some similarities, they are different. Please verify that the certificate meets requirements for signing MSIXSee here.

Fiza Azmi

It does not show any error code, it only shows the text " This file format cannot be signed because it is not recognized.".

Here the whole output produced:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /a /sha1 e392... /tr /fd sha256 /td sha256 /d "Test" /du "E:\BlazerPublish\BlazorMauiApp1_1.0.3.0_Test\BlazorMauiApp1_1.0.3.0_x64.msix"
Done Adding Additional Store
SignTool Error: This file format cannot be signed because it is not recognized.
SignTool Error: An error occurred while attempting to sign: E:\BlazerPublish\BlazorMauiApp1_1.0.3.0_Test\BlazorMauiApp1_1.0.3.0_x64.msix

It does not add anything to the log record under Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational

Our certificate is EV code signing one. We use it to sign EXEs, DLLs, SYSs, MSIs with no problem. Only MSIX files cannot be signed.

Here is how to easily reproduce this error:

1. Use Visual Studio 2022 to create a fresh new project based on the template .NET Blazor MAUI Application.

2. Use the Publish command with the side-loading option to make it generate an MSIX file.

3. Attempt to use the signtool as in our example to sign the MSIX file.

4. Observe the error.