PDA

View Full Version : Signing AppX files



Maarten
08-31-2016, 03:36 AM
Hi,
I just managed to convert my setup builder installer into a Windows Store compatible AppX package.

I use a Digicert code sign certificate (a Windows Store requirement) which works fine on my normal installer builds.

In order to sign the AppX file I thought the simplest way would be to make a small setupbuilder project with the following line:

#code-sign application "E:\Dropbox\StakePoint\DesktopAppConverter\stakepoi nt\StakePoint\StakePoint.appx" ["StakePoint"]" ["e:\Dropbox\StakePoint\CodeSigning\Digicert\sasusta kepointcodesign.pfx"]


This however gives me the following error code:

stakepoint sign appx.sbp
Init Standard Variables...
Performing pre-checks...
OK
Timestamp server(s)...
SHA-1: http://timestamp.digicert.com/authenticode
SHA-2: http://timestamp.digicert.com/authenticode
Type : 0
Script format version detected: 7.0.2600
Recursive compile (0:29): Common Definitions.sbi
#pragma loaded: MINVER
Finished
Continue (0:1:30): E:\Dropbox\StakePoint\SetupBuilder Projects\StakePoint Sign AppX.sbp
Adding Digital Certificate (Preprocessor)...
SIGNTOOL: E:\Dropbox\StakePoint\DesktopAppConverter\stakepoi nt\StakePoint\StakePoint.appx
SVER: 10.0.10586.212
SHA1: 1
Compiler error GEN1053: Code signing process failed. Error Code: 1
Script(s) processed

--------------------------------------- Done ---------------------------------------

StakePoint Sign AppX.sbp - 1 error(s), 0 warning(s), 0 file(s) code-signed

Regards,

Maarten MOSTERT

linder
08-31-2016, 05:35 AM
Maarten,

SHA-1 isn't valid for signing app packages (because it is not supported any longer). Try to use SHA-2.

BTW, we'll post more AppX information next month (in September). Support for AppX is in the works.

Friedrich

Maarten
08-31-2016, 10:30 AM
Hello Friedrich,

Well I tried that, using the signtool directly,

C:\Users\Maarten>C:\Users\Maarten\Dropbox\StakePoint\CodeSigning\Di gicert\SignTool sign /fd SHA256 /a /f C:\Users\Maarten\Dropbox\StakePoint\CodeSigning\Di gicert\sasustakepointcodesign.pfx /p mypassword C:\Users\Maarten\Dropbox\StakePoint\DesktopAppConv erter\stakepoint\StakePoint\StakePoint.appx
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

Now the error returned is documented and normally occurs when the company name is not identical to the one in the certificte
https://msdn.microsoft.com/en-us/library/windows/desktop/jj835835(v=vs.85).aspx

My AppX command is as follows:

C:\Users\Maarten\Dropbox\StakePoint\DesktopAppConv erter\DesktopAppConverter.ps1 -Installer C:\Users\Maarten\Dropbox\StakePoint\DesktopAppConv erter\StakePoint_Setup.exe -InstallerArguments "/S" -Destination C:\Users\Maarten\Dropbox\StakePoint\DesktopAppConv erter\stakepoint -PackageName "StakePoint" -Publisher "CN=SASU STAKE POINT, C=FR" -Version 16.8.4.0 -MakeAppx -Verbose

And the certificate I use gives:
CN = SASU STAKE POINT
O = SASU STAKE POINT
L = Hyeres
S = Provence-Alpes-Cote d'Azur
C = FR

The Signature hash algorithm is sha256, If I specify the -Publisher with "CN=SASU STAKE POINT, O = SASU STAKE POINT, C=FR" with more location parameters the conversion fails, so I don't see where things go wrong ?

Are the internal files signed with sha1 ?

By the way super cool if we can create these AppX files directly from SetupBuilder

Regards,