Trouble signing UWP application with certificate
I'm trying to generate a certificate suited for signing a Microsoft Universal Windows Platform (UWP) application. I have one certificate that works that I self-signed and one issued by my company's internal certificate Authority based on a CSR (certificate request) file that I crafted and submitted to them.
To generate the self-signed cert, I used the following powershell command
New-SelfSignedCertificate -Type Custom -Subject "<full certificate DN>" -KeyUsage DigitalSignature -FriendlyName "MyFriendlyName" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
To generate the cert issued by our internal CA, I created A CSR with the same attributes:
KeyUsage: Digital Signature
ExtendedKeyUsage: CodeSigning (1.3.6.1.5.5.7.3.3)
2048 bit key
algo: AES-SHA256
With most of the other properties defaulted.
As I said, the self-signed cert works, the CA-issued cert will not be accepted by Visual Studio. Here is the error I get when I try to assign the CA-issued cert for signing:
The Manifest Designer could not import the certificate.
The certificate you selected is not valid for signing because it is
either expired or has another issue. For more information, see
http://go.microsoft.com/fwlink/?LinkID=241478.
CA Root and Intermediate certs are installed on the machines in the appropriate cert stores
Here are the properties of the certificates side-by-side. Is there any way to know what is specifically wrong with the failing certificate? I feel like I've met all the UWP signing requirements.
UPDATE
Things get stranger. These steps work:
- Right Click and "Publish" my UWP app from Solution Explorer
- Choose not to sign the package at the time of publishing
- Sign the package via command line with SignTool.exe, using the proper Thumbprint (SHA) for my CA-Issued certificate, it works!
Here is my SignTool command line:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /v /fd sha256 /sha1 <my CA-issued cert thumbprint> "path-to-my-unsigned.msix"
Output from Signtool with /v (verbose):
The following certificate was selected:
Issued to: <my org>
Issued by: <my internal CA name>
Expires: Mon Apr 30 11:41:36 2035
SHA1 hash: <CA-Issued cert hash>
Done Adding Additional Store
Successfully signed: path-to-my-app.msix
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
So the question still stands, why won't Visual Studio accept my CA-issued cert as a valid signing cert even though I can use it to sign manually with SignTool.exe?
END UPDATE