What is the structure of AppxSignature.p7x?

Asked 28/7, 2016 at 10:43 Answered 22/12, 2021 at 15:0

Solved windows win-universal-app authenticode appx

Universal Windows apps are in .appx file, which is simply a zip of a bunch of files and metadata. Most of the metadata files are extensively documented on the Microsoft website and are trivial to parse and/or regenerate. However AppxSignature.p7x remains a mystery.

From this diagram (source):

AppxSignature.p7x should have hashes of the AppxBlockMap.xml, content & directory hashes, and a signature. However I cannot find any documentation of the AppxSignature.p7x file itself. Ideally I would like to use an alternative tool to produce and verify this signature, e.g. openssl/gnutls or similar. A practical use for this is to update and repackage apps on Linux, and prepare .appxupload file for the Windows Store.

Keirakeiser answered 28/7, 2016 at 10:43 Comment(2)

How signtool exactly works with APPX file is not documented (it's only documented for PE format files: download.microsoft.com/download/9/c/5/…), as you're supposed to use the SignerSign API on Windows (that's what signtool does undercovers). However there is an open source tool that should do what you want here called "fb-util-for-appx": github.com/facebook/fb-util-for-appx – Sawdust 31/7, 2016 at 16:52

@SimonMourier this is godsent stuff! This is like what I was after to re-implement! If you submit this as an answer, I'll award the bounty to you, because all that sourcecode not only documents all the trickery, but it is a ready made tool to generate appx packages on linux (and even mac too). Making appx on non-windows is what I was ultimately after. – Keirakeiser 31/7, 2016 at 23:28

As described in the blog post you link to, the AppxBlockMap.xml file stores cryptographic block hashes for every file in the package. This file is verified and secured with a digital signature when the package is signed using authenticode.

So, on windows, you have two tools:

MakeAppx.exe that creates the package (.zip format) and the blockmap file at the same time. This is important, as what's in the block map corresponds closely to the .zip file bits, you can't just any zipping tool for this step, you must program the zip/app package creation using some ZIP API.
SignTool.exe that adds the signature to the package using "standard" authenticode.

With the Windows API you can do the same as MakeAppx using the Packaging API and you can do the same as SignTool using The SignerSign function.

The whole MakeAppx process is not documented IMHO, but the blockmap schema is in fact described here: Package block map schema reference which is relatively easy to understand.

The Authenticode signature for PE document is documented here: Windows Authenticode Portable Executable Signature Format

But it's only for PE (.dll, .exe, etc.) files (note it's also possible to sign .CAB files), and I don't think how SignerSign builds AppxSignature.p7x is documented. However, there is an open source tool here that does it here: https://github.com/facebook/fb-util-for-appx. You will notice this file https://github.com/facebook/fb-util-for-appx/blob/master/PrivateHeaders/APPX/Sign.h that declares what should be used as input for signing. I have no idea where they got that information.

Sawdust answered 1/8, 2016 at 6:40 Comment(0)

The P7X format is just 0x504B4358 ("PKCX") followed by PKCS #7 data in the DER format. DER is described by ASN.1.

Loment answered 22/12, 2021 at 15:0 Comment(0)

Recommended topics

Hot tags