search

MicrosoftDocs / msix-docs

repository for msix content
Creative Commons Attribution 4.0 International
59 stars 114 forks source link

Persistent Identity documents seem incomplete (or feature is broken), and makeappx gives uninformative error message #304

Closed fredemmott closed 2 years ago

fredemmott commented 2 years ago

I followed the instructions, and have an artifacts.txt, artifact.cat (signed and timestamped), and artifact.xml

I am using makeappx from https://www.nuget.org/packages/Microsoft.Windows.SDK.BuildTools/ 10.0.22000.197

I get:

Adding publisher bridging file "artifact.xml" and "artifact.cat" to the package.
[118](https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true#step:9:118)

[119](https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true#step:9:119)
MakeAppx : error: Error info: Unspecified error
[120](https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true#step:9:120)

[121](https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true#step:9:121)
MakeAppx : error: Package creation failed.
[122](https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true#step:9:122)

[123](https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true#step:9:123)
MakeAppx : error: 0x80080218 - MakeAppx encountered an error: ID=0x80080218, Error=317)
[124](https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true#step:9:124)
Done Adding Additional Store

More details:

passing /pb to makeappx here: https://github.com/fredemmott/OpenKneeboard/blob/f62238acf2b437245168d11707d67df2b79346c1/.github/workflows/ci.yml#L52

publisher bridging artifacts: https://github.com/fredemmott/OpenKneeboard/tree/8778109a9c1d2e1ecc75fa8ab76117945af73ec8/src/app/artifacts

Windows 10 file properties tells me the .cat signature is valid

Failed CI run: https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

florelis commented 2 years ago

The error code is 0x80080218 = APPX_E_INVALID_PUBLISHER_BRIDGING. This means that the artifact(s) xml+cat did not match the manifest.

I looked at the artifact and manifest, and it seems you are using the "new" publisher name in the manifest. The manifest should use the "old" publisher name. Then, the artifact will allow you to sign the package using a certificate with the "new" name. @fredemmott can you give it a try using the other publisher name in the manifest?

@dianmsft I think the docs may not be clear that the manifest should use the "old" publisher. Can we update them to make it clearer?

fredemmott commented 2 years ago

Sorry the slow reply; I'll give it a try when I have a break from other stuff. I've ended up publishing releases with the new identity already, so it's more of a 'damage done' thing

I think the docs may not be clear that the manifest should use the "old" publisher. Can we update them to make it clearer?

Yeah, this isn't clear to me from re-reading.

You will still need to install the old certificate (recommended with timestamp) on the machine for the platform to install the package that was signed by the new certificate.

It's also unclear what this means in practice for 'sideloaded' MSIX: do I have to explicitly give my users the old certificate and ask them to install it manually, or is there a way to embed it in the MSIX?

If I need to ask all new users to install it manually, forever, this isn't a practical option: it's less friction for my users to ask them to uninstall and reinstall instead of upgrade, if I've moved since my code signing certificate was last renewed.

For context, the reason I care about this is I have a personal code signing certificate, not an organizational one, so the city/state are required to match what's on my government-issued IDs or similar proof of address. For example, I hit this problem this time as my previous certificate was for "Fred Emmott" with "State=California", then I moved, so now I can only get certificates as "Fred Emmott" with "State=Texas".

dianmsft commented 2 years ago

In terms of old certificate, the device will need to have the old certificate in order to install the package and use this feature.

Thank you for the feedback. We'll put this improvement in our backlog.