This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 94%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Note: This is a duplicate of my previous question, but I recently purchased an Azure Developer Support Plan, so I would like to re-open the topic so that my question can get answered.
I created a signed msix file with signtool.exe and my Microsoft Azure trusted signing profile, but when I try to register the msix package
System.Runtime.InteropServices.COMException (0x800B0109): A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
error 0x800B0109: The root certificate of the signature in the app package or bundle must be trusted.
I did confirm that the certification process executed directly, by right-clicking on the msix file and going to Properties -> Digital Signatures -> Details -> View Certificate -> Certification Path
Note that this is on my PC, not on a server or such. All other answers online says that it should work out of the box, but seems to be not working. I can't expect non-technical users to install certificates as part of the installation process.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 12%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
I'm having a similar problem. I signed my file using Azure Trusted Signing, with the following powershell command:
azuresigntool sign --kvu=https://<myvaultname>.vault.azure.net/ --kvc=<certificateName>
--kvt=<tenant-guid> `
--kvm `
--du=https://<mywebsite>.com `
--tr=http://timestamp.digicert.com `
myfile.dll
When I inspect the signature of the file, and the certificate, it says my company in the "Issued By" property and also in the "Issued To". The certification ends at my company, and is not trusted.
Is it possible I created the certificate incorrectly in the Trusted Signing portal?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 52%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
This will help explain the difference between the trust models Trusted Signing offers: https://learn.microsoft.com/en-us/azure/trusted-signing/concept-trusted-signing-trust-models
Thank you @Meha-MSFT
This is the key paragraph that I misunderstood:
Private Trust is the second trust model that's provided in Trusted Signing. It's for opt-in trust when signatures aren't broadly trusted across the ecosystem. The CA hierarchy that's used for Trusted Signing Private Trust resources isn't default-trusted in any root program and in Windows.
So it seems that there is no real benefit in using a Private Trust Certificate over a self-signed one.
Can you ensure you have the latest Windows updates on this machine? The Trusted Signing root certificate is pulled down via the Certificate Trust List (CTL) and added to the root store upon first encountering a signature within the chain
Hi Mesha.
Yes, I did the last update less than an hour ago (KB5053657).
Please see this screenshot:
I have also tested the certificate on a colleague's machine. He also uses Windows 11, and the root CA is also not trusted by his machine.
@Meha-MSFT do you have any feedback regarding this?
Looks like you are using a Private Trust certificate, those roots need to be explicitly added.. Publicly Trusted certificates are default trusted on Windows machine. You need to create a Public Identity validation request to get a publicly trusted certificate.