What is the structure of AppxSignature.p7x?
Universal Windows apps are in .appx file, which is simply a zip of a bunch of files and metadata. Most of the metadata files are extensively documented on the Microsoft website and are trivial to parse and/or regenerate. However AppxSignature.p7x remains a mystery.
From this diagram (source):
AppxSignature.p7x should have hashes of the AppxBlockMap.xml, content & directory hashes, and a signature. However I cannot find any documentation of the AppxSignature.p7x file itself. Ideally I would like to use an alternative tool to produce and verify this signature, e.g. openssl/gnutls or similar. A practical use for this is to update and repackage apps on Linux, and prepare .appxupload file for the Windows Store.
As described in the blog post you link to, the AppxBlockMap.xml file stores cryptographic block hashes for every file in the package. This file is verified and secured with a digital signature when the package is signed using authenticode.
So, on windows, you have two tools:
- MakeAppx.exe that creates the package (.zip format) and the blockmap file at the same time. This is important, as what's in the block map corresponds closely to the .zip file bits, you can't just any zipping tool for this step, you must program the zip/app package creation using some ZIP API.
- SignTool.exe that adds the signature to the package using "standard" authenticode.
With the Windows API you can do the same as MakeAppx using the Packaging API and you can do the same as SignTool using The SignerSign function.
The whole MakeAppx process is not documented IMHO, but the blockmap schema is in fact described here: Package block map schema reference which is relatively easy to understand.
The Authenticode signature for PE document is documented here: Windows Authenticode Portable Executable Signature Format
But it's only for PE (.dll, .exe, etc.) files (note it's also possible to sign .CAB files), and I don't think how SignerSign builds AppxSignature.p7x is documented. However, there is an open source tool here that does it here: https://github.com/facebook/fb-util-for-appx. You will notice this file https://github.com/facebook/fb-util-for-appx/blob/master/PrivateHeaders/APPX/Sign.h that declares what should be used as input for signing. I have no idea where they got that information.
- Find Task-Manager Description Column from CMD?
- How do I find out which process is listening on a TCP or UDP port on Windows?
- WINMAIN and main() in C++ (Extended)
- How to install ripgrep on Windows?
- CryptographicException: Access denied - How to give access on User store?
- How to set the UDP packet reassembly timeout in Windows 10
- Unable to create Symlink - cannot create a file when that file already exists
- How can I open a cmd window in a specific location?
- When running flutter app on window it show following error
- Can I use NotifyIcon in WPF?
- Python: How to open a folder on Windows Explorer(Python 3.6.2, Windows 10)
- ANSI In Terminal (Windows 10)
- How to get "valid data length" of a file?
- Check CMake version using python
- How do I update golang from command prompt on Windows?
- in powershell, set affinity in start-process
- Crypto++ library link error using Visual Studio 2017
- Limit python script RAM usage in Windows
- Powershell script throws error (80040154 Class not registered) only when it is executed from codedeploy, Why?
- How to change default scheduled task process priority in Windows
- How can I tile horizontally certain windows programmatically?
- C# get good color for label
- install gitlab on Windows with Docker
- Faking an RS232 Serial Port
- Rename all files in a directory with a Windows batch script
- An attempt was made to load a program with an incorrect format. VS2022 Service-based database
- How to set adminstrator privilege using manifest for Windows 10?
- Is it possible to modify a registry entry via a .bat/.cmd script?
- Quasar dev PSSecurityException
- How do I add a gzip command to Windows CMD?