Problem with CN's containing commas and wrapped in double quotes

[chrpai]

I have a client who I've helped setup an Azure DevOps pipeline to build an MSIX package. It's been fine for months but recently he got a new EV-HSM based cert. In the cert the issuer has added commas to his CN. I have attempted various ways to escape the comma but all of them result in an error message:

nfo: AzureSignTool.Program[0] => File: Mercury.msix Signing file Mercury.msix fail: AzureSignTool.Program[0] => File: Mercury.msix The Publisher Identity in the AppxManifest.xml does not match the subject on the certificate for file Mercury.msix. fail: AzureSignTool.Program[0] => File: Mercury.msix Signing failed with error 8007000B for file Mercury.msix.

Our public key says our subject is:

Subject businessCategory = Private Organization serialNumber = 3443701 jurisdictionOfIncorporationC = US jurisdictionOfIncorporationSP = New York C = US ST = New York L = Bronxville STREET = redacted O = H SALIM & CO., INC. OU = Mercury CN = H SALIM & CO., INC. E = redacted

The vendor of the tool that I use to generate the MSIX says I should use a format like:

<fgmsix:Msix Id="HSalimCo.Mercury" Publisher='CN=&quot;H SALIM &amp; CO., INC.&quot;, O=&quot;H SALIM &amp; CO., INC.&quot;, STREET=redacted, L=Bronxville, S=New York, C=US' Target="desktop" /> However when I try this I still get the error out of AzureSignTool. Am I escaping the CN wrong or is there a possible issue with AzureSignTool comparing the two strings?

[vcsjones]

I suspect this is an issue in Windows' APPX/MSIX SIP for signing and would reproduce with normal signtool, not just AzureSignTool. I will check to see if that is the case.

[clairernovotny]

I'm pretty sure it's just a matter of the right escaping that's needed here as I had a comma in my LLC before Some Company, LLC and it did work. But I didn't manually set the XML, the signing service did that.

[chrpai]

I'm not sure I can test with signtool as I only have the certificate in EV-HSM format in Azure Key Vault. Maybe I am missing something.

Is there any way to get more debug information out of AzureKeySign? If I know exactly what the two inequalities were I could try to update the XML inside the APPX/MSIX manually and see if it works.

[rfcdejong]

I don't have a comma inside the name and also keep getting this error... did you manage to use the Azure EV HSM by now?

[chrpai]

We are able to use Azure EV HSM to sign other things like .EXE, .DLL and .MSI but when we sign the .MSIX it doesn't work. I've been unable to find a way and we just turned that part of the pipeline off for now. I don't have a certificate with a CN that doesn't include a comma so I can't test that.

[rfcdejong]

This issue is related, might be the same problem https://github.com/vcsjones/AzureSignTool/issues/122

I'm giving up as well, @vcsjones or @clairernovotny are the ones that might be able to fix it..

[abarger-bss]

Hi all,

I have just had some success with this issue.

I recently obtained an EV SSL cert through digicert which is stored in an HSM Azure Key Vault. I had been trying to use AzureSignTool without success to sign an MSIX package with this cert due to the same error posted by @chrpai.

This is my cert's subject according to Key Vault:

SERIALNUMBER=REDACTED???, C=US, ST=Indiana, L=Indianapolis, O=Bastian Solutions, LLC, OU=Bastian Solutions, CN=Bastian Solutions, LLC

I finally imported the cert's crt file into my current user certificate store and used PowerShell to get the subject string:

PS> $cert = Get-Item Cert:\CurrentUser\TrustedPeople\8F47A2D0DB5E66987F886B3C45B0AB17158364BC
PS> $cert.Subject
CN="Bastian Solutions, LLC", OU=Bastian Solutions, O="Bastian Solutions, LLC", L=Indianapolis, S=Indiana, C=US, SERIALNUMBER=REDACTED???, OID.1.3.6.1.4.1.311.60.2.1.2=Indiana, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Note the additional OIDs and the use of S instead of ST for state.

I pasted this directly into the Publisher Identity of my MSIX appxmanifest file, escaping quotes as necessary:

 <Identity Name="MyApp" 
            Version="1.*" 
            Publisher="CN=&quot;Bastian Solutions, LLC&quot;, OU=Bastian Solutions, O=&quot;Bastian Solutions, LLC&quot;, L=Indianapolis, S=Indiana, C=US, SERIALNUMBER=REDACTED???, OID.1.3.6.1.4.1.311.60.2.1.2=Indiana, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization" 
            ProcessorArchitecture="x64" />

Following these steps, makeappx packaged my app without issue, and AzureSignTool signed my MSIX without issue.

It seems to me AzureSignTool or its dependencies are just extremely sensitive to any variation in the distinguished name between the cert and the publisher. Hopefully this helps someone!

[peterdrier]

I have just had some success with this issue

Your fix here has also worked for me. It seems the Identity.Publisher must match the ENTIRE Subject of the certificate, not just the CN field which most of the other documentation around this led me to believe.

In my case, that includes my personal e-mail and business address, thanks soo much GlobalSign.

Thanks for ending what's been a multi day journey.

-Peter

[chrpai]

We stepped away from MSIX for awhile and decided to come back to it today. The way suggested by @abarger-bss worked perfectly. I'm considering this closed.

[LevYas]

There's no need to install the certificate.

1. Sign any exe or DLL with your certificate
2. Execute this in PowerShell: (Get-AuthenticodeSignature -FilePath <yourPathToSignedFile>).SignerCertificate.Subject

That will give you the exact line to copy and paste into the manifest.

That'd be much more convenient if the signing tool cares that much about the match, that tool will put the correct value into manifest by itself :(