windows-store-appssigntoolappxdesktop-bridgedesktop-app-converter

UWP appx package Signtool "Error: SignerSign() failed." (-2147024885/0x8007000b)


EDIT

Event log error was this:

    error 0x8007000B: The app manifest publisher name (CN=...) 
must match the subject name of the signing certificate 
(CN={19BE29DF-4812-4F2E-8FC1-A138B146946A}).

The command below now seems to work. So either user error on my part that I cannot identify or something hinky with the state of machine when I was seeing this. That guid associated with the signing cert in the event log message is not what the cert shows in the Certificate Manager snap-in, which is weird.

Original Question

I am attempting to sign a UWP appx package that was generated using MakeAppx.exe. The pfx is a developer code signing certificate generated with these commands from https://msdn.microsoft.com/windows/uwp/porting/desktop-to-uwp-manual-conversion.

C:\> MakeCert.exe -r -h 0 -n "CN=<publisher_name>" -eku 1.3.6.1.5.5.7.3.3 -pe -sv <my.pvk> <my.cer>
C:\> pvk2pfx.exe -pvk <my.pvk> -spc <my.cer> -pfx <my.pfx>

The private key is in my trusted root cert store and worked when I generated an appx from an installer using the Desktop App Converter.

The command line I am using is:

signtool.exe sign -f <path to my pfx file> -fd SHA256 -v .\FishTank.appx

but SignTool is erroring with this:

The following certificate was selected:
    Issued to: ...
    Issued by: ...
    Expires:   Sat Dec 31 18:59:59 2039
    SHA1 hash: ...

Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

The certificate publisher matches what is in the appmanifest.xml

<?xml version="1.0" encoding="utf-8"?>
<Package
   xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
   xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
   xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">
  <Identity Name="..."
    ProcessorArchitecture="x64"
    Publisher="CN=..."
    Version="1.1.0.0" />
  <Properties>
    <DisplayName>Fish Tank</DisplayName>
    <PublisherDisplayName>Reserved</PublisherDisplayName>
    <Description>Some fish. Swimming around on your screen.</Description>
    <Logo>StoreLogo.png</Logo>
  </Properties>
  <Resources>
    <Resource Language="en-us" />
  </Resources>
  <Dependencies>
    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.14316.0" MaxVersionTested="10.0.14316.0" />
  </Dependencies>
  <Capabilities>
    <rescap:Capability Name="runFullTrust"/>
  </Capabilities>
  <Applications>
    <Application Id="FishTank" Executable="FishTank.exe" EntryPoint="Windows.FullTrustApplication">
      <uap:VisualElements
       BackgroundColor="#464646"
       DisplayName="Fish Tank"
       Square150x150Logo="Square150x150Logo.png"
       Square44x44Logo="Square44x44Logo.png"
       Description="Some fish. Swimming around on your screen." />
    </Application>
  </Applications>
</Package>

Solution

  • Just like answered here (though for a different error code) - you have to make sure that the Publisher name (in the AppxManifest.xml file) is the same as the certificate's publisher.

    For more information, see here (in the bottom "Remarks" section).