Skip to content

Signing an .appx file corrupts the .appx #367

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#374
Closed
Signing an .appx file corrupts the .appx#367
#374
Assignees
olszomal
Labels
bugSomething isn't working
@st-gr

Description

@st-gr
st-gr
opened on Feb 29, 2024

Hi,

First of all, I would like to thank you all for creating this amazing tool that eventually will allow me to build and sign Windows apps running in a Linux/wine docker container.

Irrespective of me building osslsigncode from source or downloading and using the latest release (2.7) downloaded from GitHub the resulting appx gets corrupted.

The appx is created using apache cordova version 11 (yes, I still have to build Windows 8 UWP apps ;-)):

cordova create testapp
cordova platforms add windows
cordova build --debug --arch=x64

(I prevented MSBuild from signing by replacing signtool.exe with a mock executable that returns error code 0).

Here is the command I used to sign the .appx on Windows 10 and Ubuntu 22.04/wine 8.0.2 stable:

osslsigncode sign -in CordovaApp.Windows10_1.0.0.0_x64_debug.appx -out osslsigncode-signed.appx -pkcs12 ..\..\CordovaApp_TemporaryKey.pfx
Hash method is SHA256
Warning: Ignore -h option, use the hash algorithm specified in AppxBlockMap.xml
Signing as a package
Succeeded

BTW: The release build 2.7 ran under wine, but the latest source build returned errors and did not sign the file:

Unable to load provider: legacy
Warning: Legacy mode disabled

As a comparison, I signed the .appx using signtool:

PS T:\appxsign-test\platforms\windows\AppPackages\CordovaApp.Windows10_1.0.0.0_x64_debug_Test> ."C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /fd sha256 /f ..\..\CordovaApp_TemporaryKey.pfx signtool-signed.appx
Done Adding Additional Store
Successfully signed: signtool-signed.appx

When I inspect the corrupted .appx with Z-zip I don't see the packaged files, only one file shows.
I then tried to repair the .appx using WinZip which didn't help as this compromised the signature.
image

I uploaded the unsigned .appx, the .pfx, and the two signed .appx in this .zip file:
appx-files.zip

I haven't checked with a hex editor, yet. There might be a bug in the packaging of the .appx.
Microsoft provides an MSIX packaging tool (src/makemsix) that also creates .appx. I thought about looking there for inspiration https://github.com/microsoft/msix-packaging

Your tool is the last puzzle piece for me to be able to build and sign my apps in a Linux/wine container. It took me a while to get MSBuild to behave..

Maybe I am just using your tool with the wrong key format or parameters?

Please advise.
st-gr

Metadata

Assignees

Labels

bugSomething isn't working

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions