Forum Discussion

leecroucher's avatar
leecroucher
Copper Contributor
May 17, 2022
Solved

signtool cannot sign MSIX files from HSM certificate

I am unable to sign code from signtool.exe using a hardware key provider with this error: .\signtool.exe sign /fd SHA256 /t http://timestamp.entrust.net/rfc3161ts2 "c:\code\notepad_x64.msix" Do...
  • leecroucher's avatar
    leecroucher
    Jun 02, 2022
    This group is miles of.....

    https://www.a6n.co.uk/2022/05/msix-update-signing-code-with-timestamp.html

    You need the signtool from Windows 11 and the CN= of the package needs to match the CN= of the certificate
mridulgupta's avatar
mridulgupta
Former Employee
May 19, 2022
When using SignTool to sign your app package or bundle, the hash algorithm used in SignTool must be the same algorithm you used to package your app. To find out which hash algorithm was used while packaging your app, extract the contents of the app package and inspect the AppxBlockMap.xml file.
leecroucher's avatar
leecroucher
Copper Contributor
May 19, 2022

mridulgupta Checked that file and its SHA256

 

HashMethod="http://www.w3.org/2001/04/xmlenc#sha256

 

Exactly the same hash algorithm as the command used in Signtool so its not that?

  • mridulgupta's avatar
    mridulgupta
    Former Employee
    May 26, 2022

    leecroucher Please check the version of the sign tool and the subject of the certificate, if that matches to the publisher in the manifest. If it doesn't match, use this script to sign the package. 

Resources