Hi,
thank you for this really interesting project. Just stumbled upon it and liking it very much.
I'm trying to build and sign some custom apps using a self-generated code signing certifacte, which uses sha256ECDSA instead of rsa.
This certificate is signed by our internal intermediate certificate authority and trusted by all active-directory or Azure AD joined devices.
We use this certificate to sign all of our internal company apps (mostly C#-Apps) and IT-related PowerShell-Scripts. This works flawlessly on our Win10 and Win11 clients.
Here's how we sign our regular files:
$cert=Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert
$TimeStampingAuthority = 'http://timestamp.digicert.com'
Set-AuthenticodeSignature -Certificate $cert -TimestampServer $TimeStampingAuthority -FilePath .\*.dll
Set-AuthenticodeSignature -Certificate $cert -TimestampServer $TimeStampingAuthority -FilePath .\*.exe
Set-AuthenticodeSignature -Certificate $cert -TimestampServer $TimeStampingAuthority -FilePath .\*.ps1
Set-AuthenticodeSignature doesn't work on .msix files, so I used signtool.exe, which works fine so far, but I couldn't get it to work with my code signing cert stored in personal policy store. The only way I could sign is by using a .pfx and passing the password via command line (which might get exposed via shell history):
MakeAppx pack /v /h SHA256 /d "..\app1\" /p app1.msix
SignTool sign /debug /fd sha256 /a /f code_signing.p12 /p "<loooongpassword>" app1.msix
Using these commands gets me a fully signed msix, which can be installed on our clients without issues -- all cert validation by windows is okay (because IT deployed the correct root and intermediate certs on the clients).
Is there a specific reason, why ecdsa-based certificates are generally not supported by MSIX-Hero? Even when the current signtool has no issues with such certs?
I'm a long time C#-Dev myself and are willing to contribute a PR+tests.
Thank your for this project, again. The app looks very polished and the code looks the same 🙃
Greetings
Denis from Stuttgart
Hi,
thank you for this really interesting project. Just stumbled upon it and liking it very much.
I'm trying to build and sign some custom apps using a self-generated code signing certifacte, which uses sha256ECDSA instead of rsa.
This certificate is signed by our internal intermediate certificate authority and trusted by all active-directory or Azure AD joined devices.
We use this certificate to sign all of our internal company apps (mostly C#-Apps) and IT-related PowerShell-Scripts. This works flawlessly on our Win10 and Win11 clients.
Here's how we sign our regular files:
Set-AuthenticodeSignaturedoesn't work on.msixfiles, so I usedsigntool.exe, which works fine so far, but I couldn't get it to work with my code signing cert stored in personal policy store. The only way I could sign is by using a.pfxand passing the password via command line (which might get exposed via shell history):Using these commands gets me a fully signed
msix, which can be installed on our clients without issues -- all cert validation by windows is okay (because IT deployed the correct root and intermediate certs on the clients).Is there a specific reason, why
ecdsa-based certificates are generally not supported by MSIX-Hero? Even when the currentsigntoolhas no issues with such certs?I'm a long time C#-Dev myself and are willing to contribute a PR+tests.
Thank your for this project, again. The app looks very polished and the code looks the same 🙃
Greetings
Denis from Stuttgart