Hello,

we have a new (EV) code signing certificate stored in Azure Key Vault.

Signing any of our [installer].exe files with the AzureSignTool.exe via command line, for example, is no problem. However, when it comes to signing any of our Windows application packages (*.msix), the signing fails (via VS or via command line).

Signing via VS

When we publish our app in VS, we can select our certificate directly from Azure:

Signing then fails with the following error message:

What is noticeable is that Identity.Publisher in the Package.manifest file has been replaced with: “CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE”. This string matches the Issuer of our certificate, but not the subject. Is that how it’s intended?

Nevertheless, when we disable automatic signing with (AppxPackageSigningEnabled = false) and replace Identity.Publiser with the subject of our certificate (“CN=3D.aero GmbH, , ST=Hamburg, …”), validation fails with error message: “Validation error. error C00CE169: App manifest validation error: The app manifest must be valid as per schema: [..]”. We have found out that the RegEx does not allow an ST key during validation. So we replaced it with S and building completes. 

Signing via command line

However, if we then try to sign the built MSIX package with the AzureSignTool.exe via command line, this fails with the following error message:
“The Publisher Identity in the AppxManifest.xml does not match the subject on the certificate.”
We assume this is due to the ST <> S problem?

When using “CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE” manually, AzureSignTool also fails with the same message.

Questions

Why does signing fail if the certificate was automatically selected via the wizard?his string matches the Issuer of our certificate, but not the subject. Is that how it’s intended?The RegEx for the validation of Identity.Publisher does not allow ST, can this be fixed?

​Hello, we have a new (EV) code signing certificate stored in Azure Key Vault.Signing any of our [installer].exe files with the AzureSignTool.exe via command line, for example, is no problem. However, when it comes to signing any of our Windows application packages (*.msix), the signing fails (via VS or via command line). Signing via VSWhen we publish our app in VS, we can select our certificate directly from Azure: Signing then fails with the following error message: What is noticeable is that Identity.Publisher in the Package.manifest file has been replaced with: “CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE”. This string matches the Issuer of our certificate, but not the subject. Is that how it’s intended? Nevertheless, when we disable automatic signing with (AppxPackageSigningEnabled = false) and replace Identity.Publiser with the subject of our certificate (“CN=3D.aero GmbH, , ST=Hamburg, …”), validation fails with error message: “Validation error. error C00CE169: App manifest validation error: The app manifest must be valid as per schema: [..]”. We have found out that the RegEx does not allow an ST key during validation. So we replaced it with S and building completes.  Signing via command lineHowever, if we then try to sign the built MSIX package with the AzureSignTool.exe via command line, this fails with the following error message:”The Publisher Identity in the AppxManifest.xml does not match the subject on the certificate.”We assume this is due to the ST <> S problem?When using “CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE” manually, AzureSignTool also fails with the same message.QuestionsWhy does signing fail if the certificate was automatically selected via the wizard?his string matches the Issuer of our certificate, but not the subject. Is that how it’s intended?The RegEx for the validation of Identity.Publisher does not allow ST, can this be fixed?  Read More

​