17

EDIT

Event log error was this:

    error 0x8007000B: The app manifest publisher name (CN=...) 
must match the subject name of the signing certificate 
(CN={19BE29DF-4812-4F2E-8FC1-A138B146946A}).

The command below now seems to work. So either user error on my part that I cannot identify or something hinky with the state of machine when I was seeing this. That guid associated with the signing cert in the event log message is not what the cert shows in the Certificate Manager snap-in, which is weird.

Original Question

I am attempting to sign a UWP appx package that was generated using MakeAppx.exe. The pfx is a developer code signing certificate generated with these commands from https://msdn.microsoft.com/windows/uwp/porting/desktop-to-uwp-manual-conversion.

C:\> MakeCert.exe -r -h 0 -n "CN=<publisher_name>" -eku 1.3.6.1.5.5.7.3.3 -pe -sv <my.pvk> <my.cer>
C:\> pvk2pfx.exe -pvk <my.pvk> -spc <my.cer> -pfx <my.pfx>

The private key is in my trusted root cert store and worked when I generated an appx from an installer using the Desktop App Converter.

The command line I am using is:

signtool.exe sign -f <path to my pfx file> -fd SHA256 -v .\FishTank.appx

but SignTool is erroring with this:

The following certificate was selected:
    Issued to: ...
    Issued by: ...
    Expires:   Sat Dec 31 18:59:59 2039
    SHA1 hash: ...

Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

The certificate publisher matches what is in the appmanifest.xml

<?xml version="1.0" encoding="utf-8"?>
<Package
   xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
   xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
   xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">
  <Identity Name="..."
    ProcessorArchitecture="x64"
    Publisher="CN=..."
    Version="1.1.0.0" />
  <Properties>
    <DisplayName>Fish Tank</DisplayName>
    <PublisherDisplayName>Reserved</PublisherDisplayName>
    <Description>Some fish. Swimming around on your screen.</Description>
    <Logo>StoreLogo.png</Logo>
  </Properties>
  <Resources>
    <Resource Language="en-us" />
  </Resources>
  <Dependencies>
    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.14316.0" MaxVersionTested="10.0.14316.0" />
  </Dependencies>
  <Capabilities>
    <rescap:Capability Name="runFullTrust"/>
  </Capabilities>
  <Applications>
    <Application Id="FishTank" Executable="FishTank.exe" EntryPoint="Windows.FullTrustApplication">
      <uap:VisualElements
       BackgroundColor="#464646"
       DisplayName="Fish Tank"
       Square150x150Logo="Square150x150Logo.png"
       Square44x44Logo="Square44x44Logo.png"
       Description="Some fish. Swimming around on your screen." />
    </Application>
  </Applications>
</Package>
StayOnTarget
  • 11,743
  • 10
  • 52
  • 81
dkackman
  • 15,179
  • 13
  • 69
  • 123
  • 2
    This error is specifically mentioned [in the documentation](https://msdn.microsoft.com/en-us/library/windows/desktop/jj835835%28v=vs.85%29.aspx). You forgot to tell us what you found back in the application log. – Hans Passant May 27 '16 at 02:30
  • Answer edited to have the event log, but oddly enough (after a couple hours away from the computer) the signing just worked without me changing anything that I can think of. Chalking it up to my own user error or gremlins. – dkackman May 27 '16 at 03:09
  • 4
    I had the same error and the problem was in certificate issuer name. The value `` in `MakeCert.exe` should match the `Publisher="CN="` in `AppxManifest.xml` – crea7or Mar 24 '17 at 14:29
  • 1
    Just for searchers - I had this error after it working fine for years. It started working again the next day. Cause was maybe slow internet, pending windows updates, or windows firewall, but we think it was the internet connection. – JsAndDotNet Apr 24 '19 at 08:49

2 Answers2

19

Just like answered here (though for a different error code) - you have to make sure that the Publisher name (in the AppxManifest.xml file) is the same as the certificate's publisher.

For more information, see here (in the bottom "Remarks" section).

Yoav Feuerstein
  • 1,925
  • 2
  • 22
  • 53
  • What does that mean exactly? Is it just the CN=company or the whole subject? What has to match exactly? The docs are very vague and I can't make any combination work. – Rick Strahl Aug 06 '17 at 19:01
  • 2
    @RickStrahl from what I've observed, it should be the whole string, not just the CN=something part. If that still didn't work out for you, let me know – Yoav Feuerstein Aug 07 '17 at 07:21
0

The MakeCert /n argument has to be the full Publisher string from your xml.

M1SMR
  • 83
  • 1
  • 4