During UWP app VS publish , how to integrate signing with security token and pin?

Question

During UWP app VS publish , how to integrate signing with security token and pin?

DotNET Fan 151

Hello Microsoft UWP Experts ,

I have a UWP app associated with the windows store and during VS publish and creating the packages , I would like to sign the package using Yubi Key security token with Pin. Even though i have selected the right publisher with certificate in the Package.appxmanifest, when publishing it picks up some random certificate from the local store.

If i use the signtool manually in command line t asks for the Security Pin , but unable to sign .msixupload/.msixbundle and throws with errors

"D:\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 2277221b9ee1c53db704665ff171032506233d85" AppPackages\XXXX_1.1.0_x86_x64_bundle.msixupload"

Error-

Done Adding Additional Store

SignTool Error: This file format cannot be signed because it is not recognized.

SignTool Error: An error occurred while attempting to sign: AppPackages\XXXX_1.1.0_x86_x64_bundle.msixupload

"D:\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 2277221b9ee1c53db704665ff171032506233d85 "AppPackages\XXXX_Test\XXXX_2.3.3.0_x86_x64.msixbundle"

Error-

Done Adding Additional Store

SignTool Error: An unexpected internal error has occurred.

Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

During VS publish what is the right way to sign the UWP packages/dll using security token and with PIN ?

Roy Li - MSFT 30,551 Reputation points Microsoft Vendor

2023-11-13T05:57:29.3533333+00:00

Could you please tell me why you want to sign the package using Yubi Key security token with Pin? If you want to publish the app to the Store, then you should not sign it with other ways. VS could automatically sign the package which meets the requirement of the Store.
DotNET Fan 151 Reputation points

2023-11-15T17:44:06.77+00:00

Hi @Roy Li ,

Now the certificate signing of dlls /msi's are done through certificate stamping on the hardware token and not pfx stored on the local machine. So i do have a certificate stamped with the yubi key token in my name and i would like to use that for the UWP app MSIXBUNDLE File (.msixbundle) during publish.

So in the publish wizard , under packaging tab , for publisher field i select the certificate stamped in my name and listed on the local store . But unfortunately , during the publish the packages is signed with some random certificates with some publisher name - 557AE966-xxxx-xxxx-xxxx-xxxxxx from the local store.

Any idea how to make this working?

Thanks
Roy Li - MSFT 30,551 Reputation points Microsoft Vendor

2023-11-17T06:31:32.8466667+00:00

I'm still confusing about why you are doing this. I understand you want to sign your package with some other certificate with yubikey. But Store will not accept packages that is not signed with corresponding certificate. Your package will be rejected if it is not signed with the associated certificate. Do you want to distribute your app via sideloading and use your own certificate?
DotNET Fan 151 Reputation points

2023-11-17T08:06:34.4233333+00:00

@Roy Li - MSFT ,

So when you associate a app with the store , during publish process does it signs with a store certificate that is registered in the local machine store?

After the build process when i check the certificate from the file properties for .msixbundle it shows Name of signer as 557AE966-xxxx-xxxx-xxxx-xxxxxx

I want to distribute the app to the store as well as outside store also. With this store signing certificate does it hold good for customers who wants to install outside of windows store?

Roy Li - MSFT 30,551 Reputation points Microsoft Vendor

2023-11-13T05:57:29.3533333+00:00

Could you please tell me why you want to sign the package using Yubi Key security token with Pin? If you want to publish the app to the Store, then you should not sign it with other ways. VS could automatically sign the package which meets the requirement of the Store.
DotNET Fan 151 Reputation points

2023-11-15T17:44:06.77+00:00

Hi @Roy Li ,

Now the certificate signing of dlls /msi's are done through certificate stamping on the hardware token and not pfx stored on the local machine. So i do have a certificate stamped with the yubi key token in my name and i would like to use that for the UWP app MSIXBUNDLE File (.msixbundle) during publish.

So in the publish wizard , under packaging tab , for publisher field i select the certificate stamped in my name and listed on the local store . But unfortunately , during the publish the packages is signed with some random certificates with some publisher name - 557AE966-xxxx-xxxx-xxxx-xxxxxx from the local store.

Any idea how to make this working?

Thanks
Roy Li - MSFT 30,551 Reputation points Microsoft Vendor

2023-11-17T06:31:32.8466667+00:00

I'm still confusing about why you are doing this. I understand you want to sign your package with some other certificate with yubikey. But Store will not accept packages that is not signed with corresponding certificate. Your package will be rejected if it is not signed with the associated certificate. Do you want to distribute your app via sideloading and use your own certificate?
DotNET Fan 151 Reputation points

2023-11-17T08:06:34.4233333+00:00

@Roy Li - MSFT ,

So when you associate a app with the store , during publish process does it signs with a store certificate that is registered in the local machine store?

After the build process when i check the certificate from the file properties for .msixbundle it shows Name of signer as 557AE966-xxxx-xxxx-xxxx-xxxxxx

I want to distribute the app to the store as well as outside store also. With this store signing certificate does it hold good for customers who wants to install outside of windows store?

During UWP app VS publish , how to integrate signing with security token and pin?

Activity