Problem with CN's containing commas and wrapped in double quotes
See original GitHub issueI have a client who I’ve helped setup an Azure DevOps pipeline to build an MSIX package. It’s been fine for months but recently he got a new EV-HSM based cert. In the cert the issuer has added commas to his CN. I have attempted various ways to escape the comma but all of them result in an error message:
nfo: AzureSignTool.Program[0] => File: Mercury.msix Signing file Mercury.msix fail: AzureSignTool.Program[0] => File: Mercury.msix The Publisher Identity in the AppxManifest.xml does not match the subject on the certificate for file Mercury.msix. fail: AzureSignTool.Program[0] => File: Mercury.msix Signing failed with error 8007000B for file Mercury.msix.
Our public key says our subject is:
Subject businessCategory = Private Organization serialNumber = 3443701 jurisdictionOfIncorporationC = US jurisdictionOfIncorporationSP = New York C = US ST = New York L = Bronxville STREET = redacted O = H SALIM & CO., INC. OU = Mercury CN = H SALIM & CO., INC. E = redacted
The vendor of the tool that I use to generate the MSIX says I should use a format like:
<fgmsix:Msix Id="HSalimCo.Mercury" Publisher='CN="H SALIM & CO., INC.", O="H SALIM & CO., INC.", STREET=redacted, L=Bronxville, S=New York, C=US' Target="desktop" />
However when I try this I still get the error out of AzureSignTool. Am I escaping the CN wrong or is there a possible issue with AzureSignTool comparing the two strings?
Issue Analytics
- State:
- Created 3 years ago
- Comments:9 (1 by maintainers)
Top GitHub Comments
Hi all,
I have just had some success with this issue.
I recently obtained an EV SSL cert through digicert which is stored in an HSM Azure Key Vault. I had been trying to use AzureSignTool without success to sign an MSIX package with this cert due to the same error posted by @chrpai.
This is my cert’s subject according to Key Vault:
I finally imported the cert’s crt file into my current user certificate store and used PowerShell to get the subject string:
Note the additional OIDs and the use of S instead of ST for state.
I pasted this directly into the Publisher Identity of my MSIX appxmanifest file, escaping quotes as necessary:
Following these steps, makeappx packaged my app without issue, and AzureSignTool signed my MSIX without issue.
It seems to me AzureSignTool or its dependencies are just extremely sensitive to any variation in the distinguished name between the cert and the publisher. Hopefully this helps someone!
We stepped away from MSIX for awhile and decided to come back to it today. The way suggested by @abarger-bss worked perfectly. I’m considering this closed.