jsign icon indicating copy to clipboard operation
jsign copied to clipboard
verified publisher icon ebourg

--replace option not working for msix installer

Open jasonvooo opened this issue 2 years ago • 4 comments

Thanks for releasing 6.0 with msix installer!

I am running into an issue with using the --replace option when using jsign to sign a msix package. I am under the impression that when using this flag it should replace the existing signature and replace it with the new signature however when running it results in an artefact that has no signature present.

jasonvooo avatar Feb 01 '24 05:02 jasonvooo

I'm not aware of an issue with the replacement of MSIX signatures. This case is covered by a unit test in APPXSignerTest.

If you change the extension of the signed file to .zip and open the archive, do you see an AppxSignature.p7x entry?

ebourg avatar Feb 05 '24 13:02 ebourg

When exporting as a zip I see the AppxSignature.p7x file but when opening the file through explorer properties you cannot see the digital signature.

Before and after running jsign with --replace image

image

jasonvooo avatar Feb 09 '24 03:02 jasonvooo

Could you send the two files, before and after replacing the signature, to [email protected] please? I'd like to inspect them.

ebourg avatar Feb 09 '24 07:02 ebourg

I've been able to reproduce this behavior, the missing 'Digital Signatures' tab happens when the primary signature of the package is made with a certificate whose CN doesn't match the publisher name in the app manifest. signtool usually returns an error code 0x8007000B when verifying such files.

I'll modify Jsign to check the CN before signing MSIX packages.

ebourg avatar Feb 14 '24 08:02 ebourg

@jasonvooo I think this is now fixed, please let me know how it works for you.

ebourg avatar Jul 03 '24 13:07 ebourg