This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 18%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
In the Azure Trusted Signing accounts, I completed Identity Validation for my LLC
I want to create a certificate to sign an MSIX installer .exe file
The only certificate profiles listed are "Public Trust and VBS Enclave."
According to ChatGPT, "Public Trust" is only used for emails and documents.
and will not sign an MSIX
So, how to get a certificate to sign an MSIX ?
Is this possible through Trusted Signing accounts?
The Trusted Signing accounts service allows you to enter details of your LLC company
(including Duns number / Tax Id / EIN etc)
Then uses a lookup to check your LLC Company is valid, and has operated in the USA for 3+ years
Once these checks are successfully completed, it allows you to create public trust certificates which are linked to your LLC
The question is - can these certificates be used to sign an MSIX?
ChatGPT states that the public trust certificates can't be used to sign an MSIX
and the is no way to import the generated certificates into the KeyVault to sign
I can see by Trusted Signing account using
az trustedsigning list
I can see the generated certificate - which corresponds to ABC LLC using
az trustedsigning certificate-profile list -g ABC --account-name ABC
I have my KeyVault
az keyvault list
But there aint nothing in the keyvault, and there is no way of importing the Trusted Signing certificate
az keyvault certificate list --vault-name ABCVault --query "[].{Name:name}" -o table
NOTHING HERE
So, First, the According to ChatGPT - Public trust cant be used to sign code
And Second you cant import the Trusted Signing accounts into the keyvault to sign the code
using the AzureSignTool-x64.exe
Yet
https://azure.microsoft.com/en-us/products/trusted-signing
States that the Trusted Signing service can be used to Sign Code
thanks, this worked!!!!!!!!!!!!I was able to get my.MSIX signed using Azure
The Main problem was that I didn't have the DLL and signtool both as 64-bit
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "xxx\Azure.CodeSigning.Dlib.dll" /dmdf "Csign.json" "my.msix"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 13%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
The current MSIX documentation states that a code signing certificate is needed. What's more, it also states that the certificate must chain to be trusted on the device. For any kind of binary, it is a requirement to use a code signing certificate too. So how you obtain the certificate depends on to who and how you wish to distribute the package.
The best option would be a code signing certificate that you have to pay for. It could be a company or an individual certificate, but these resolve to a root certificate that is preinstalled and trusted on all systems. But this costs money, and for a very good reason.
Next, if this is only inteded to be installed in a business environment, it is possible to use any ___domain certificate authority to generate a code signing certificate. It will only be trusted inside the business where the certificate authority holds any sway.
Finally, for very limited cases, it is possible to personally generate a certificate. A code signing certificate like this is not trusted by default but if you set the certificate as trusted on a system then the package will install normally. Yes, this isn't a good alternative for anything but testing and limited use amongst people who trust you or systems that you control.
So as far as I know, the only way to get one that will work publically is through paying trusted certificate roots.
MSIX needs a code signing certificate for public distribution
I had read that these were available from Azure Trusted Signing accounts
But in my Azure, only "public trust" is available
I just wanted to confirm if Trusted Signing accounts
had MSIX code signing certificates, some folks say they do, some say they dont
Thanks, let me check
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 37%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
As no one can download the certificate from Azure, you need to prepare an environment where Trusted Signing can be executed by referring to this in order to sign for MSIX file.
If you want to use signtool in your local machine, you can sign it in the following way.
Create the contents of the above JSON file by referring to sample.
Set azure_tenant_id=<Your Azure TenantId>
signtool.exe sign /fd SHA256 /td SHA256 /tr "http://timestamp.acs.microsoft.com" /dlib "Azure.CodeSigning.Dlib.dll" /dmdf "setting.json" "Test.msix"
If the attempted results did not work, let's read to FAQ for troubleshooting.
I tried this but get error
C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "xxxx\Azure.CodeSigning.Dlib.dll" /dmdf sign.json /sha1 xxxxx /a XXX.msix
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
not sure how to debug this
/sha1 and /a are unnecessary arguments.
In FAQ
| Error | Details |
|---|---|
| Error: "SignerSign() failed." (-2147024846/0x80070032) | Ensure that you're using the latest version of SignTool. |
see, 26100 should be new, but please check if the file version of signtool is up-to-date.
If that doesn't work, try using the 64-bit versions of Signtool and Azure.CodeSigning.Dlib.dll.
If successful, you will receive the following message.
Trusted Signing
Version: 1.0.92
"Metadata": {
"Endpoint": "https://wus2.codesigning.azure.net/",
"CodeSigningAccountName": "******",
"CertificateProfileName": "******",
"ExcludeCredentials": []
}
Submitting digest for signing...
OperationId ********-****-****-****-************: InProgress
Signing completed with status 'Succeeded' in 1.778397s
thanks, help much appreciated
I was using the x86 version of signtool (and the DLL is 64-bit)
when I switched to the 64-bit version of signtool, it is now at least reading the DLL
(Giving me an error message, but I am making progress)
SignTool Error: AuthenticodeDigestSignEx implementation is found in the DLL specified by /dlib option.
It is incompatible with /a /ac /c /f /p /i /n /r /s /sm /sha1 /u /uw option.
Problem resolved, I was able to get the MSIX signed, using signtool, and
Azure trusted signing account using
https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations
Just have to make sure both DLL and signtool are using the 64-bit version.
(Otherwise, it won't read the DLL)