UWP appx package Signtool "Error: SignerSign() failed." (-2147024885/0x8007000b)

14

EDIT

Event log error was this:

    error 0x8007000B: The app manifest publisher name (CN=...) 
must match the subject name of the signing certificate 
(CN={19BE29DF-4812-4F2E-8FC1-A138B146946A}).

The command below now seems to work. So either user error on my part that I cannot identify or something hinky with the state of machine when I was seeing this. That guid associated with the signing cert in the event log message is not what the cert shows in the Certificate Manager snap-in, which is weird.

Original Question

I am attempting to sign a UWP appx package that was generated using MakeAppx.exe. The pfx is a developer code signing certificate generated with these commands from https://msdn.microsoft.com/windows/uwp/porting/desktop-to-uwp-manual-conversion.

C:\> MakeCert.exe -r -h 0 -n "CN=<publisher_name>" -eku 1.3.6.1.5.5.7.3.3 -pe -sv <my.pvk> <my.cer>
C:\> pvk2pfx.exe -pvk <my.pvk> -spc <my.cer> -pfx <my.pfx>

The private key is in my trusted root cert store and worked when I generated an appx from an installer using the Desktop App Converter.

The command line I am using is:

signtool.exe sign -f <path to my pfx file> -fd SHA256 -v .\FishTank.appx

but SignTool is erroring with this:

The following certificate was selected:
    Issued to: ...
    Issued by: ...
    Expires:   Sat Dec 31 18:59:59 2039
    SHA1 hash: ...

Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

The certificate publisher matches what is in the appmanifest.xml

<?xml version="1.0" encoding="utf-8"?>
<Package
   xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
   xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
   xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">
  <Identity Name="..."
    ProcessorArchitecture="x64"
    Publisher="CN=..."
    Version="1.1.0.0" />
  <Properties>
    <DisplayName>Fish Tank</DisplayName>
    <PublisherDisplayName>Reserved</PublisherDisplayName>
    <Description>Some fish. Swimming around on your screen.</Description>
    <Logo>StoreLogo.png</Logo>
  </Properties>
  <Resources>
    <Resource Language="en-us" />
  </Resources>
  <Dependencies>
    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.14316.0" MaxVersionTested="10.0.14316.0" />
  </Dependencies>
  <Capabilities>
    <rescap:Capability Name="runFullTrust"/>
  </Capabilities>
  <Applications>
    <Application Id="FishTank" Executable="FishTank.exe" EntryPoint="Windows.FullTrustApplication">
      <uap:VisualElements
       BackgroundColor="#464646"
       DisplayName="Fish Tank"
       Square150x150Logo="Square150x150Logo.png"
       Square44x44Logo="Square44x44Logo.png"
       Description="Some fish. Swimming around on your screen." />
    </Application>
  </Applications>
</Package>
windows-store-apps
signtool
appx
desktop-bridge
desktop-app-converter
asked on Stack Overflow May 27, 2016 by dkackman • edited Apr 26, 2019 by StayOnTarget

2 Answers

13

Just like answered here (though for a different error code) - you have to make sure that the Publisher name (in the AppxManifest.xml file) is the same as the certificate's publisher.

For more information, see here (in the bottom "Remarks" section).

answered on Stack Overflow Jul 24, 2017 by Yoav Feuerstein
0

The MakeCert /n argument has to be the full Publisher string from your xml.

answered on Stack Overflow Apr 13, 2018 by M1SMR

User contributions licensed under CC BY-SA 3.0