SOLVED

signtool cannot sign MSIX files from HSM certificate

%3CLINGO-SUB%20id%3D%22lingo-sub-3387118%22%20slang%3D%22en-US%22%3Esigntool%20cannot%20sign%20MSIX%20files%20from%20HSM%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3387118%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20unable%20to%20sign%20code%20from%20signtool.exe%20using%20a%20hardware%20key%20provider%20with%20this%20error%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E.%5Csigntool.exe%20sign%20%2Ffd%20SHA256%20%2Ft%20%3CA%20href%3D%22http%3A%2F%2Ftimestamp.entrust.net%2Frfc3161ts2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Ftimestamp.entrust.net%2Frfc3161ts2%3C%2FA%3E%20%22c%3A%5Ccode%5Cnotepad_x64.msix%22%3CBR%20%2F%3EDone%20Adding%20Additional%20Store%3CBR%20%2F%3E%3CSTRONG%3ESignTool%20Error%3A%20This%20file%20format%20cannot%20be%20signed%20because%20it%20is%20not%20recognized.%3C%2FSTRONG%3E%3CBR%20%2F%3ESignTool%20Error%3A%20An%20error%20occurred%20while%20attempting%20to%20sign%3A%20c%3A%5Ccode%5Cnotepad_x64.msix%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ENumber%20of%20errors%3A%201%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20do%20MSIX%20files%20do%20not%20sign%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3393670%22%20slang%3D%22en-US%22%3ERe%3A%20signtool%20cannot%20sign%20MSIX%20files%20from%20HSM%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3393670%22%20slang%3D%22en-US%22%3ETry%20using%20a%20newer%20version%20of%20SignTool.%20I%20vaguely%20remember%20a%20customer%20hitting%20the%20same%20problem%20last%20year%20because%20he%20was%20using%20an%20older%20version.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3393705%22%20slang%3D%22en-US%22%3ERe%3A%20signtool%20cannot%20sign%20MSIX%20files%20from%20HSM%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3393705%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F147865%22%20target%3D%22_blank%22%3E%40Bogdan%20Mitrache%3C%2FA%3E%26nbsp%3B-%26nbsp%3BI%20am%20using%20the%20Windows%2011%20SDK%2C%20the%20latest%20version%20-%20Same%20error%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3401980%22%20slang%3D%22en-US%22%3ERe%3A%20signtool%20cannot%20sign%20MSIX%20files%20from%20HSM%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3401980%22%20slang%3D%22en-US%22%3EWhen%20using%20SignTool%20to%20sign%20your%20app%20package%20or%20bundle%2C%20the%20hash%20algorithm%20used%20in%20SignTool%20must%20be%20the%20same%20algorithm%20you%20used%20to%20package%20your%20app.%20To%20find%20out%20which%20hash%20algorithm%20was%20used%20while%20packaging%20your%20app%2C%20extract%20the%20contents%20of%20the%20app%20package%20and%20inspect%20the%20AppxBlockMap.xml%20file.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3402191%22%20slang%3D%22en-US%22%3ERe%3A%20signtool%20cannot%20sign%20MSIX%20files%20from%20HSM%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3402191%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1206531%22%20target%3D%22_blank%22%3E%40mridulgupta%3C%2FA%3E%26nbsp%3BChecked%20that%20file%20and%20its%20SHA256%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHashMethod%3D%22%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23sha256%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23sha256%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExactly%20the%20same%20hash%20algorithm%20as%20the%20command%20used%20in%20Signtool%20so%20its%20not%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3435144%22%20slang%3D%22en-US%22%3ERe%3A%20signtool%20cannot%20sign%20MSIX%20files%20from%20HSM%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3435144%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1392537%22%20target%3D%22_blank%22%3E%40leecroucher%3C%2FA%3E%26nbsp%3BPlease%20check%20the%20version%20of%20the%20sign%20tool%20and%26nbsp%3Bthe%20subject%20of%20the%20certificate%2C%20if%20that%20matches%20to%20the%20publisher%20in%20the%20manifest.%20If%20it%20doesn't%20match%2C%20use%20this%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMSIX-Toolkit%2Ftree%2Fmaster%2FScripts%2FModifyPackagePublisher%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Escript%3C%2FA%3E%20to%20sign%20the%20package.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3458313%22%20slang%3D%22en-US%22%3ERe%3A%20signtool%20cannot%20sign%20MSIX%20files%20from%20HSM%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3458313%22%20slang%3D%22en-US%22%3EThe%20error%20may%20also%20occur%20if%20the%20MSIX%20you%20are%20trying%20to%20package%20is%20corrupt.%20Can%20you%20please%20try%20with%20another%20MSIX%20package%20and%20see%20if%20it%20fails%20as%20well%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3459446%22%20slang%3D%22en-US%22%3ERe%3A%20signtool%20cannot%20sign%20MSIX%20files%20from%20HSM%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3459446%22%20slang%3D%22en-US%22%3EThis%20group%20is%20miles%20of.....%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.a6n.co.uk%2F2022%2F05%2Fmsix-update-signing-code-with-timestamp.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.a6n.co.uk%2F2022%2F05%2Fmsix-update-signing-code-with-timestamp.html%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20need%20the%20signtool%20from%20Windows%2011%20and%20the%20CN%3D%20of%20the%20package%20needs%20to%20match%20the%20CN%3D%20of%20the%20certificate%3C%2FLINGO-BODY%3E
New Contributor

I am unable to sign code from signtool.exe using a hardware key provider with this error:

.\signtool.exe sign /fd SHA256 /t http://timestamp.entrust.net/rfc3161ts2 "c:\code\notepad_x64.msix"
Done Adding Additional Store
SignTool Error: This file format cannot be signed because it is not recognized.
SignTool Error: An error occurred while attempting to sign: c:\code\notepad_x64.msix

Number of errors: 1

 

Why do MSIX files do not sign?

7 Replies
Try using a newer version of SignTool. I vaguely remember a customer hitting the same problem last year because he was using an older version.

@Bogdan Mitrache - I am using the Windows 11 SDK, the latest version - Same error

When using SignTool to sign your app package or bundle, the hash algorithm used in SignTool must be the same algorithm you used to package your app. To find out which hash algorithm was used while packaging your app, extract the contents of the app package and inspect the AppxBlockMap.xml file.

@mridulgupta Checked that file and its SHA256

 

HashMethod="http://www.w3.org/2001/04/xmlenc#sha256

 

Exactly the same hash algorithm as the command used in Signtool so its not that?

@leecroucher Please check the version of the sign tool and the subject of the certificate, if that matches to the publisher in the manifest. If it doesn't match, use this script to sign the package. 

The error may also occur if the MSIX you are trying to package is corrupt. Can you please try with another MSIX package and see if it fails as well?
best response confirmed by leecroucher (New Contributor)
Solution
This group is miles of.....

https://www.a6n.co.uk/2022/05/msix-update-signing-code-with-timestamp.html

You need the signtool from Windows 11 and the CN= of the package needs to match the CN= of the certificate