Closed fredemmott closed 2 years ago
The error code is 0x80080218 = APPX_E_INVALID_PUBLISHER_BRIDGING. This means that the artifact(s) xml+cat did not match the manifest.
I looked at the artifact and manifest, and it seems you are using the "new" publisher name in the manifest. The manifest should use the "old" publisher name. Then, the artifact will allow you to sign the package using a certificate with the "new" name. @fredemmott can you give it a try using the other publisher name in the manifest?
@dianmsft I think the docs may not be clear that the manifest should use the "old" publisher. Can we update them to make it clearer?
Sorry the slow reply; I'll give it a try when I have a break from other stuff. I've ended up publishing releases with the new identity already, so it's more of a 'damage done' thing
I think the docs may not be clear that the manifest should use the "old" publisher. Can we update them to make it clearer?
Yeah, this isn't clear to me from re-reading.
You will still need to install the old certificate (recommended with timestamp) on the machine for the platform to install the package that was signed by the new certificate.
It's also unclear what this means in practice for 'sideloaded' MSIX: do I have to explicitly give my users the old certificate and ask them to install it manually, or is there a way to embed it in the MSIX?
If I need to ask all new users to install it manually, forever, this isn't a practical option: it's less friction for my users to ask them to uninstall and reinstall instead of upgrade, if I've moved since my code signing certificate was last renewed.
For context, the reason I care about this is I have a personal code signing certificate, not an organizational one, so the city/state are required to match what's on my government-issued IDs or similar proof of address. For example, I hit this problem this time as my previous certificate was for "Fred Emmott" with "State=California", then I moved, so now I can only get certificates as "Fred Emmott" with "State=Texas".
In terms of old certificate, the device will need to have the old certificate in order to install the package and use this feature.
Thank you for the feedback. We'll put this improvement in our backlog.
I followed the instructions, and have an artifacts.txt, artifact.cat (signed and timestamped), and artifact.xml
I am using makeappx from https://www.nuget.org/packages/Microsoft.Windows.SDK.BuildTools/ 10.0.22000.197
I get:
More details:
passing
/pb
to makeappx here: https://github.com/fredemmott/OpenKneeboard/blob/f62238acf2b437245168d11707d67df2b79346c1/.github/workflows/ci.yml#L52publisher bridging artifacts: https://github.com/fredemmott/OpenKneeboard/tree/8778109a9c1d2e1ecc75fa8ab76117945af73ec8/src/app/artifacts
Windows 10 file properties tells me the .cat signature is valid
Failed CI run: https://github.com/fredemmott/OpenKneeboard/runs/5505915627?check_suite_focus=true
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.