cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community
Find out more

Signtool cannot sign msix file produced by dotnet publish

AndreiBel
Copper Contributor

‎Sep 10 2023 02:30 PM

‎Sep 10 2023 02:30 PM

Signtool cannot sign msix file produced by dotnet publish

Used dotnet publish to generate a msix package (from Blazor MAUI project). During the process, dotnet has signed the msix file using our EV certificate, but it did not time-stamp it. So we’ve decided to re-sign it using signtool from Win SDK latest version 10.0.22621.0. However, the signtool reports an error:

 

SignTool Error: This file format cannot be signed because it is not recognized.

 

Using the same options to sign a regular msi file (from another project) produces no error.

Here is the complete command line used to sign both msix and msi (with the /sha1 thumbprint truncated for privacy):

 

“C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe” sign /a /sha1 e392… /tr http://timestamp.digicert.com /fd sha256 /td sha256 /d “test” /du http://www.winability.com “Q:\test-x64.msix”

1,035 Views
0 Likes
4 Replies
Reply
4 Replies
TIMOTHY MANGAN

‎Sep 13 2023 03:27 AM

‎Sep 13 2023 03:27 AM

Re: Signtool cannot sign msix file produced by dotnet publish

Please check the event log (Microsoft\Windows\AppXPackagingOM for example) for possible detail error messages.
0 Likes
Reply
AndreiBel

‎Sep 13 2023 06:45 AM

‎Sep 13 2023 06:45 AM

Re: Signtool cannot sign msix file produced by dotnet publish

Checked the logs, did not see anything of relevance there.

I just tied it again with a fresh new .NET MAUI Blazor project, generated by Visual Studio, and used the Visual Studio Publish command (instead of dotnet publish), and the result was the same: signtool could not sign the MSIX file it produced. I believe it's a problem with signtool.
0 Likes
Reply
fizaazmi

‎Oct 03 2023 01:47 AM

‎Oct 03 2023 01:47 AM

Re: Signtool cannot sign msix file produced by dotnet publish

Hi @AndreiBel 
To diagnose this issue accurately, please attach the logs or share the error code that the SignTool is generating. 
While signing an MSI and an MSIX package share some similarities, they are different. Please verify that the certificate meets requirements for signing MSIXSee here.


Thanks,
Fiza Azmi
PM, MSIX 

0 Likes
Reply
AndreiBel

‎Oct 03 2023 07:15 AM

‎Oct 03 2023 07:15 AM

Re: Signtool cannot sign msix file produced by dotnet publish

It does not show any error code, it only shows the text " This file format cannot be signed because it is not recognized.".

Here the whole output produced:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /a /sha1 e392... /tr http://timestamp.digicert.com /fd sha256 /td sha256 /d "Test" /du http://www.winability.com "E:\BlazerPublish\BlazorMauiApp1_1.0.3.0_Test\BlazorMauiApp1_1.0.3.0_x64.msix"
Done Adding Additional Store
SignTool Error: This file format cannot be signed because it is not recognized.
SignTool Error: An error occurred while attempting to sign: E:\BlazerPublish\BlazorMauiApp1_1.0.3.0_Test\BlazorMauiApp1_1.0.3.0_x64.msix

It does not add anything to the log record under Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational

Our certificate is EV code signing one. We use it to sign EXEs, DLLs, SYSs, MSIs with no problem. Only MSIX files cannot be signed.

Here is how to easily reproduce this error:

1. Use Visual Studio 2022 to create a fresh new project based on the template .NET Blazor MAUI Application.

2. Use the Publish command with the side-loading option to make it generate an MSIX file.

3. Attempt to use the signtool as in our example to sign the MSIX file.

4. Observe the error.
0 Likes
Reply