EDIT
Event log error was this:
error 0x8007000B: The app manifest publisher name (CN=...)
must match the subject name of the signing certificate
(CN={19BE29DF-4812-4F2E-8FC1-A138B146946A}).
The command below now seems to work. So either user error on my part that I cannot identify or something hinky with the state of machine when I was seeing this. That guid associated with the signing cert in the event log message is not what the cert shows in the Certificate Manager snap-in, which is weird.
Original Question
I am attempting to sign a UWP appx package that was generated using MakeAppx.exe
. The pfx is a developer code signing certificate generated with these commands from https://msdn.microsoft.com/windows/uwp/porting/desktop-to-uwp-manual-conversion.
C:\> MakeCert.exe -r -h 0 -n "CN=<publisher_name>" -eku 1.3.6.1.5.5.7.3.3 -pe -sv <my.pvk> <my.cer>
C:\> pvk2pfx.exe -pvk <my.pvk> -spc <my.cer> -pfx <my.pfx>
The private key is in my trusted root cert store and worked when I generated an appx from an installer using the Desktop App Converter.
The command line I am using is:
signtool.exe sign -f <path to my pfx file> -fd SHA256 -v .\FishTank.appx
but SignTool
is erroring with this:
The following certificate was selected:
Issued to: ...
Issued by: ...
Expires: Sat Dec 31 18:59:59 2039
SHA1 hash: ...
Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)
The certificate publisher matches what is in the appmanifest.xml
<?xml version="1.0" encoding="utf-8"?>
<Package
xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">
<Identity Name="..."
ProcessorArchitecture="x64"
Publisher="CN=..."
Version="1.1.0.0" />
<Properties>
<DisplayName>Fish Tank</DisplayName>
<PublisherDisplayName>Reserved</PublisherDisplayName>
<Description>Some fish. Swimming around on your screen.</Description>
<Logo>StoreLogo.png</Logo>
</Properties>
<Resources>
<Resource Language="en-us" />
</Resources>
<Dependencies>
<TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.14316.0" MaxVersionTested="10.0.14316.0" />
</Dependencies>
<Capabilities>
<rescap:Capability Name="runFullTrust"/>
</Capabilities>
<Applications>
<Application Id="FishTank" Executable="FishTank.exe" EntryPoint="Windows.FullTrustApplication">
<uap:VisualElements
BackgroundColor="#464646"
DisplayName="Fish Tank"
Square150x150Logo="Square150x150Logo.png"
Square44x44Logo="Square44x44Logo.png"
Description="Some fish. Swimming around on your screen." />
</Application>
</Applications>
</Package>
Just like answered here (though for a different error code) - you have to make sure that the Publisher name (in the AppxManifest.xml file) is the same as the certificate's publisher.
For more information, see here (in the bottom "Remarks" section).
The MakeCert /n argument has to be the full Publisher string from your xml.
User contributions licensed under CC BY-SA 3.0