Freigeben über

SignTool “SignerSign() failed” when signing MSIX with EV hardware token

AppDev_D 0 Zuverlässigkeitspunkte
2025-06-30T08:19:51.7433333+00:00

Hi,

I’m encountering an error when trying to sign an MSIX package using an EV code signing certificate stored on a SafeNet hardware token. After entering the PIN, SignTool fails with:

SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024885 / 0x8007000b)

This happens consistently across multiple Windows 10 machines using both SignTool 10.0.19041.0 and 10.0.22621.0.

Here’s the command I’m using:

signtool sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /sha1 <cert thumbprint> .\App.msix

What works:

  • Signing EXE and Office files (e.g., Excel) files with the same EV token
  • Signing MSIX packages using an OV certificate Only signing MSIX with the EV token fails. Bitness matches, the certificate CN is correct, the package is unsigned, and the middleware is running fine.

Is this a known issue or a limitation? Any suggestions or workarounds would be greatly appreciated. Thanks!

Windows-Entwicklung | Internet Information Services
0 Kommentare

1 Antwort

Sortieren nach: Am hilfreichsten
Am hilfreichsten Neueste Älteste
  1. AppDev_D 0 Zuverlässigkeitspunkte
    2025-06-30T09:37:01.4+00:00

    I found the solution on https://docs.digicert.com/en/software-trust-manager/code-signing/sign-with-third-party-signing-tools/sign-msix-files-with-signtool--workaround-solution-.html

    Solution

    🛡️ Sign .msix with Hardware Token (Microsoft Tool Workaround)

    signtool.exe can’t sign .msix with hardware tokens — but Microsoft provides a workaround via a pre-release .NET tool.

    🔧 Install Signing Tool

    dotnet tool install --tool-path . --prerelease sign

    🖋️ Sign Command (⚠️ May take several minutes)

    .\sign.exe code certificate-store `
  -cf "YourCert.crt" `
  -td sha256 `
  -cfp "SHA256_of_Cert" `
  -csp "eToken Base Cryptographic Provider" `
  -k "KeyContainerName" `
  -i "YourApp.msix"

    🔍 How to Get Parameters

    🧬 -cfp: SHA256 of cert

    $thumb = "THUMBPRINT"
$cert = Get-ChildItem Cert:\CurrentUser\My | Where { $_.Thumbprint -eq $thumb }
$raw = $cert.RawData
[BitConverter]::ToString((New-Object Security.Cryptography.SHA256Managed).ComputeHash($raw)) -replace "-", ""

    📄 -cf: Export cert to file

    Export-Certificate -Cert $cert -FilePath "YourCert.crt"

    🔐 -csp / -k: Provider & Key name

    $cert.PrivateKey.CspKeyContainerInfo.ProviderName
$cert.PrivateKey.CspKeyContainerInfo.KeyContainerName

    War diese Antwort hilfreich?

    0 Kommentare

Ihre Antwort

Antworten können von Fragestellenden als „Angenommen“ und von Moderierenden als „Empfohlen“ gekennzeichnet werden, wodurch Benutzende wissen, dass diese Antwort das Problem des Fragestellenden gelöst hat.