EDIT
Event log error was this:
error 0x8007000B: The app manifest publisher name (CN=...)
must match the subject name of the signing certificate
(CN={19BE29DF-4812-4F2E-8FC1-A138B146946A}).
The command below now seems to work. So either user error on my part that I cannot identify or something hinky with the state of machine when I was seeing this. That guid associated with the signing cert in the event log message is not what the cert shows in the Certificate Manager snap-in, which is weird.
Original Question
I am attempting to sign a UWP appx package that was generated using MakeAppx.exe
. The pfx is a developer code signing certificate generated with these commands from https://msdn.microsoft.com/windows/uwp/porting/desktop-to-uwp-manual-conversion.
C:\> MakeCert.exe -r -h 0 -n "CN=<publisher_name>" -eku 1.3.6.1.5.5.7.3.3 -pe -sv <my.pvk> <my.cer>
C:\> pvk2pfx.exe -pvk <my.pvk> -spc <my.cer> -pfx <my.pfx>
The private key is in my trusted root cert store and worked when I generated an appx from an installer using the Desktop App Converter.
The command line I am using is:
signtool.exe sign -f <path to my pfx file> -fd SHA256 -v .\FishTank.appx
but SignTool
is erroring with this:
The following certificate was selected:
Issued to: ...
Issued by: ...
Expires: Sat Dec 31 18:59:59 2039
SHA1 hash: ...
Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)
The certificate publisher matches what is in the appmanifest.xml
<?xml version="1.0" encoding="utf-8"?>
<Package
xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">
<Identity Name="..."
ProcessorArchitecture="x64"
Publisher="CN=..."
Version="1.1.0.0" />
<Properties>
<DisplayName>Fish Tank</DisplayName>
<PublisherDisplayName>Reserved</PublisherDisplayName>
<Description>Some fish. Swimming around on your screen.</Description>
<Logo>StoreLogo.png</Logo>
</Properties>
<Resources>
<Resource Language="en-us" />
</Resources>
<Dependencies>
<TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.14316.0" MaxVersionTested="10.0.14316.0" />
</Dependencies>
<Capabilities>
<rescap:Capability Name="runFullTrust"/>
</Capabilities>
<Applications>
<Application Id="FishTank" Executable="FishTank.exe" EntryPoint="Windows.FullTrustApplication">
<uap:VisualElements
BackgroundColor="#464646"
DisplayName="Fish Tank"
Square150x150Logo="Square150x150Logo.png"
Square44x44Logo="Square44x44Logo.png"
Description="Some fish. Swimming around on your screen." />
</Application>
</Applications>
</Package>
Just like answered here (though for a different error code) - you have to make sure that the Publisher name (in the AppxManifest.xml file) is the same as the certificate's publisher.
For more information, see here (in the bottom "Remarks" section).