visual-studio-2022.net-8.0signtoolmsixsmctl

SignTool Error: This file format cannot be signed because it is not recognized - Maui .net8

After publishing the default .net8 maui app from Visual Studio for Windows, i am not able to sign the resulting .msix package and get this error:

SignTool Error: This file format cannot be signed because it is not recognized

The business decided not to give out cert files to developers, so i have to use the Digicert Keylocker platform tools to sign my applications.

The smctl tool is getting called with this command:

smctl sign --keypair-alias=key_123456789 -d=SHA256 --verbose --config-file "e:\TEMP\certing\pkcs11properties.cfg" --input "e:\TEMP\package\testApp.msix"

The resulting signtool command from the smctl tool is:

signtool sign /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 /csp "DigiCert Signing Manager KSP" /kc "key_123456789" /f "C:\Users\MyUserName\AppData\Local\Temp\1122334455\key_123456789_certificate.pem" "e:\TEMP\package\testApp.msix"

Signing of some other .exe files working fine.

I don't know how to investigate the problem or workaround. i hope you can help me out!

Visual Studio 2022 17.9.6

Signtool from Windows Kit Version is 10.0.22621.2428

Windows 10 22H2 (Build 19045.4355)

.net 8.0.4

Solution

  • EDIT My first success was publishing for x86 architecture, manipulating the AppXManifest.xml, repacking and use of signtool from exact same folder as the makeappx tool - see my original answer below.

    After setting the Identity/Publisher string in the package.appxmanifest file correctly (wasn't able to do this with visual studio, but with external texteditor), the generated .msix could be signed without further manipulation (also the x64 build).

    MY OLD ANSWER

    I finally found a workaround:

    1. publish the app with visual studio for x86 architecture

    2. unpack with makeappx.exe from Windows SDK App Certification Kit: makeappx.exe unpack /p e:\TEMP\package\testApp.msix /d "e:\temp\package\unpacked

    3. Edit AppxManifest.xml to match the certificate's subject

    4. repack with makeappx.exe from Windows SDK App Certification Kit: makeappx.exe pack /p e:\TEMP\package\testApp.msix /d "e:\temp\package\unpacked

    5. rename to .appx

    6. set path environment variable to the Windows SDK App Certification Kit folder

    7. assure that path variable is taking effect (re-login to windows)

    8. .appx will get successfully signed from the digicert keylocker tools

    For me it was the most important step to set the path environment variable to the same location as the makeappx.exe was, so that the DigiCert Keylocker tools use the signtool.exe from the exact same location as the makeappx.exe used for packing. Also with same version (10.0.22621.2428) of signtool installed in other folder the signation was not successful.

    I wasn't able yet to sign a x64 build of my app (i will update here, if i may find a way).

    @Emmanuel: Thank you very much for sharing your tool. Maybe i will try it next time i got problems with signing.