Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Problem with CN's containing commas and wrapped in double quotes

See original GitHub issue

I have a client who I’ve helped setup an Azure DevOps pipeline to build an MSIX package. It’s been fine for months but recently he got a new EV-HSM based cert. In the cert the issuer has added commas to his CN. I have attempted various ways to escape the comma but all of them result in an error message:

nfo: AzureSignTool.Program[0] => File: Mercury.msix Signing file Mercury.msix fail: AzureSignTool.Program[0] => File: Mercury.msix The Publisher Identity in the AppxManifest.xml does not match the subject on the certificate for file Mercury.msix. fail: AzureSignTool.Program[0] => File: Mercury.msix Signing failed with error 8007000B for file Mercury.msix.

Our public key says our subject is:

Subject businessCategory = Private Organization serialNumber = 3443701 jurisdictionOfIncorporationC = US jurisdictionOfIncorporationSP = New York C = US ST = New York L = Bronxville STREET = redacted O = H SALIM & CO., INC. OU = Mercury CN = H SALIM & CO., INC. E = redacted

The vendor of the tool that I use to generate the MSIX says I should use a format like:

<fgmsix:Msix Id="HSalimCo.Mercury" Publisher='CN=&quot;H SALIM &amp; CO., INC.&quot;, O=&quot;H SALIM &amp; CO., INC.&quot;, STREET=redacted, L=Bronxville, S=New York, C=US' Target="desktop" /> However when I try this I still get the error out of AzureSignTool. Am I escaping the CN wrong or is there a possible issue with AzureSignTool comparing the two strings?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:9 (1 by maintainers)

github_iconTop GitHub Comments

7reactions
abarger-bsscommented, Jun 24, 2021

Hi all,

I have just had some success with this issue.

I recently obtained an EV SSL cert through digicert which is stored in an HSM Azure Key Vault. I had been trying to use AzureSignTool without success to sign an MSIX package with this cert due to the same error posted by @chrpai.

This is my cert’s subject according to Key Vault:

SERIALNUMBER=REDACTED???, C=US, ST=Indiana, L=Indianapolis, O=Bastian Solutions, LLC, OU=Bastian Solutions, CN=Bastian Solutions, LLC

I finally imported the cert’s crt file into my current user certificate store and used PowerShell to get the subject string:

PS> $cert = Get-Item Cert:\CurrentUser\TrustedPeople\8F47A2D0DB5E66987F886B3C45B0AB17158364BC
PS> $cert.Subject
CN="Bastian Solutions, LLC", OU=Bastian Solutions, O="Bastian Solutions, LLC", L=Indianapolis, S=Indiana, C=US, SERIALNUMBER=REDACTED???, OID.1.3.6.1.4.1.311.60.2.1.2=Indiana, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

Note the additional OIDs and the use of S instead of ST for state.

I pasted this directly into the Publisher Identity of my MSIX appxmanifest file, escaping quotes as necessary:

 <Identity Name="MyApp" 
            Version="1.*" 
            Publisher="CN=&quot;Bastian Solutions, LLC&quot;, OU=Bastian Solutions, O=&quot;Bastian Solutions, LLC&quot;, L=Indianapolis, S=Indiana, C=US, SERIALNUMBER=REDACTED???, OID.1.3.6.1.4.1.311.60.2.1.2=Indiana, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization" 
            ProcessorArchitecture="x64" />

Following these steps, makeappx packaged my app without issue, and AzureSignTool signed my MSIX without issue.

It seems to me AzureSignTool or its dependencies are just extremely sensitive to any variation in the distinguished name between the cert and the publisher. Hopefully this helps someone!

0reactions
chrpaicommented, Nov 5, 2022

We stepped away from MSIX for awhile and decided to come back to it today. The way suggested by @abarger-bss worked perfectly. I’m considering this closed.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Write a string containing commas and double quotes to CSV
The problem is that the product descriptions of these items contain variables amounts of commas, double quotes, single quotes and HTML. At first ......
Read more >
Ignoring Commas in Quotes When Splitting a ...
When processing text containing comma-separated-values, it may be necessary to ignore commas that occur in quoted sub-strings.
Read more >
'Single' vs "Double" quotes for strings in javascript
Both single (' ') and double (" ") quotes are used to represent a string in ... string can have double quotes within...
Read more >
JavaScript Strings: The Basic Methods and Functions
Strings in JavaScript are contained within a pair of either single quotation marks '' or double quotation marks "". Both quotes represent Strings...
Read more >
PI UFL Interface - Parsing complex CSV files with strings
The error codes occasionally contain commas within them, so typically when there is an error it is encased in double quotes to differentiate ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

simplified git config causes remote upstream rewrite on every run

Next page

intermitent (retry required) HRESULT 0x80190194 when signing