msix-packaging icon indicating copy to clipboard operation
msix-packaging copied to clipboard
verified publisher icon microsoft

[BUG] Unable to sign appxpackage due to "ST" being present in the signing certificate subject

Open danielprice-cds opened this issue 1 year ago • 3 comments

Project MSIX SDK (MakeAppx.exe)

Describe the bug I am unable to sign a WinUI application as my code signing certificate has ST in the subject which is not permitted in the Publisher element in the AppxManifest.xml

To Reproduce Create a new WinUI application and sign the app package with a code signing certificate which has a subject containing ST

Expected behavior The AppxManifest.xml would allow ST in the publisher

danielprice-cds avatar Aug 13 '24 18:08 danielprice-cds

MakeAppx.exe does not allow ST and I've finally got here and found msix-packaging has same issue... I'm using my own fork now :(

espresso3389 avatar Dec 13 '24 17:12 espresso3389

We're having the same problem, is there any workaround?

luxzeitlos avatar Mar 06 '25 11:03 luxzeitlos

TL;DR: Use "S" instead of "ST"

The tooling uses CertNameToStr to compute the expected publisher string from the certificate. It has some quirks mentioned in the Remarks, for example it uses S instead of ST, has a particular ordering for the fields, and sometimes the values need to be quoted.

I didn't confirm this, but according to past me in the Tech Community forum, if you set the environment variable APPXSIP_LOG to 3 before calling signtool.exe, it will tell you in the logs what publisher string it was expecting.

florelis avatar Mar 06 '25 20:03 florelis