I'm getting this error when trying to use SignTool to sign my msix file.
I've verified I have Trusted Signing Certificate Profile Signer role assigned in Azure.
I also verified the publisher name of the AppxManifest.xml in the msix matches my certificate profile.
CN=Publisher Name, O=Organization Name, L=City, S=Province, C=CA
Following this procedure https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations
& "C:\temp\test\microsoft.windows.sdk.buildtools.10.0.22621.3233.nupkg\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\temp\test\microsoft.trusted.signing.client.1.0.53.nupkg\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\temp\test\metadata.json" "C:\temp\test\my-app_1.0.128.0_x64.msix"
Trusted Signing
Version: 1.0.53
"Metadata": {
"Endpoint": "https://wus2.codesigning.azure.net",
"CodeSigningAccountName": "",
"CertificateProfileName": "",
"CorrelationId": "",
"ExcludeCredentials": []
}
Submitting digest for signing...
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)
Headers:
Date: Fri, 10 May 2024 21:09:50 GMT
Connection: keep-alive
Strict-Transport-Security: REDACTED
x-azure-ref: REDACTED
X-Cache: REDACTED
Content-Length: 0
at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
The issue was my authentication "InteractiveBrowserCredential" was not working for some reason. I had to disable all authentication options except Azure CLI and retry. https://learn.microsoft.com/en-us/cli/azure/install-azure-cli.
{
"Endpoint": "https://eus.codesigning.azure.net",
"CodeSigningAccountName": "account",
"CertificateProfileName": "profile",
"ExcludeCredentials": [
"ManagedIdentityCredential",
"EnvironmentCredential",
"WorkloadIdentityCredential",
"SharedTokenCacheCredential",
"VisualStudioCredential",
"VisualStudioCodeCredential",
"AzurePowerShellCredential",
"AzureDeveloperCliCredential",
"InteractiveBrowserCredential"
]
}