Login/Register
SignTool internal error when trying to repackage an APPX package?
Asked Answered
Solved windows-8packagewindows-runtimesigntoolwindows-store
K

1

10

I'm analyzing existing Windows Store applications and modifying them to make sure my company's obfuscator works with them.

I've ran into a bit of a problem doing that though. I can grab an APPX package from the store easily enough(requires Fiddler to get the URL). I can then just use any unzip program to extract the appx to a folder. I can then take the assemblies in the APPX and modify the IL a bit. I then remake and sign the package:

makeappx pack /d "mypackage" /p "mypackage.appx"
signtool sign /fd sha256 /f temporarykey.pfx mypackage.appx

I then get an error with signtool though:

SignTool Error: An unexpected internal error has occured
Error information: "Error: SignerSign() failed." (-2147024885/0x800700b)

And then of course get an error when trying to install it with the standard powerscript file created by Visual Studio for installing/sideloading any APPX package.

Found package: C:\....mypackage.appx 
Error: The package is not digitally signed or its signature is corrupted

I've used this exact process for packages generated from Visual Studio. Are temporary keys tied to a particular package or something? What am I missing? Is this a bug in signtool?

Krohn answered 24/9, 2012 at 18:23 Comment(2)
0x8007000b is a bad format error. (I have no idea what that indicates with this tool, though.)Whitver
@JamesMcNellis in this tool it apparently means a non-matching certificate. See my answerKrohn
K
13

Apparently, you can't just take any temporary key and sign the APPX with it. In particular the certificate subject lines must match(the "publisher name"). I do not know of a better way of determining what the subject line much actually be. First, try to use signtool and sign the APPX file with any temporary key. Now go to Event Viewer. Then to Applications and Services and then Microsoft and then Windows and then AppxPackaging and finally Microsoft-Windows-AppxPackages/Operational. There should be an error event that just happened from that build. Check it. It should say something like

Error 0x800700B: The app manifest publisher name (CN=random-hex-number) must match the subject name of the signing certificate (CN=MyWrongName)

So, now make sure to hang on to that random-hex-number. That needs to be the subject line of the certificate and is the cause of the error. To generate a working certificate:

makecert.exe mycert.cer -r -n "CN=random-hex-number" -$ individual  -sv private.pkv -pe -cy end
pvk2pfx -pvk private.pkv -spc mycert.cer -pfx mytemporarykey.pfx

Now finally, you should have a temporary key that will work with signtool!

Hopefully this answers serves other people well.

Krohn answered 24/9, 2012 at 20:12 Comment(3)
... would be too easy for the users if the error would be written on the command line... Thanks a lot!Tritheism
Windows 10 doesn't seem to use the same event viewer locations. I don't see a AppxPackaging section, and couldn't locate where it might be. Additionally the error that I found in the event viewer seems completely different: SCEP Certificate enrollment initialization for MYDOMAIN\MYCOMPNAME$ via IFX-KeyId-29fe69630e853a4cd3575f84392a9bed2d7e8ca2.microsoftaik… failed: GetCACaps Method: GET(265ms) Stage: GetCACaps The certificate authority is invalid or incorrect 0x80072f0d (WinHttp: 12045 ERROR_WINHTTP_SECURE_INVALID_CA)Blithe
That lead me to this: ERROR_WINHTTP_SECURE_INVALID_CA 12045 Indicates that a certificate chain was processed, but terminated in a root certificate that is not trusted by the trust provider (equivalent to CERT_E_UNTRUSTEDROOT). From: msdn.microsoft.com/en-us/library/windows/desktop/…Blithe

© 2022 - 2024 — McMap. All rights reserved.