[BUG] Failed to parse publisher because ST is not a valid key

[praxa-enzo]

ℹ️ Info

Version: 3.16.1

💬 Description

When running the following command in our GitHub actions pipeline:

flutter pub run msix:create -v --build-windows false --output-path ./msix --sign-msix false

We get the following error:

C=country, ST=province, O=companyName, OU=Development, CN=companyName' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*

The ST key is not part of the regular expression, while it is a valid key in the subject of our certificate.
A valid key would be S. But if we use this key then it is not possible to sign the installer afterwards because the app manifest publisher name does not match the subject of the certificate.
Would it be possible to make the publisher as described in the pubspec below a valid publisher?

📜 Pubspec.yaml

name: productName
description: description

publish_to: 'none'

version: 0.6.0

environment:
  sdk: 3.0.3
  flutter: 3.10.4

dependencies:
  bloc: 8.0.3
  collection: 1.17.1
  complete_timer: 1.0.0
  data_table_2: 2.4.2
  event: 2.1.2
  file_picker: 5.2.11
  file_saver: 0.1.0
  fl_chart: 0.51.0
  flutter:
    sdk: flutter
  flutter_bloc: 8.0.1
  flutter_mobx: 2.0.6+5
  get_it: 7.2.0
  google_fonts: 4.0.3
  http: 0.13.5
  iirjdart: 0.1.0
  intl: 0.17.0
  meta: 1.9.1
  mobx: 2.1.4
  path: 1.8.3
  queue: 3.1.0+2
  uuid: 3.0.7
  version: 3.0.2
  window_manager: 0.3.5
  cupertino_icons: 1.0.4

dev_dependencies:
  build_runner: 2.3.3
  dependency_validator: 3.2.2
  flutter_lints: 2.0.1
  flutter_test:
    sdk: flutter
  mobx_codegen: 2.2.0
  mockito: 5.4.0
  msix: 3.16.1

flutter:
  uses-material-design: true

  assets:
    - lib/ui/assets/afi_indicators/
    - lib/ui/assets/icons/
    - lib/ui/assets/logo/
    - lib/ui/assets/

  fonts:
    - family: Roboto
      fonts:
        - asset: lib/ui/assets/fonts/Roboto/Roboto-Thin.ttf
          weight: 100
          style: normal
        - asset: lib/ui/assets/fonts/Roboto/Roboto-ThinItalic.ttf
          weight: 100
          style: italic
        - asset: lib/ui/assets/fonts/Roboto/Roboto-Light.ttf
          weight: 300
          style: normal
        - asset: lib/ui/assets/fonts/Roboto/Roboto-LightItalic.ttf
          weight: 300
          style: italic
        - asset: lib/ui/assets/fonts/Roboto/Roboto-Regular.ttf
          weight: 400
          style: normal
        - asset: lib/ui/assets/fonts/Roboto/Roboto-Italic.ttf
          weight: 400
          style: italic
        - asset: lib/ui/assets/fonts/Roboto/Roboto-Medium.ttf
          weight: 500
          style: normal
        - asset: lib/ui/assets/fonts/Roboto/Roboto-MediumItalic.ttf
          weight: 500
          style: italic
        - asset: lib/ui/assets/fonts/Roboto/Roboto-Bold.ttf
          weight: 700
          style: normal
        - asset: lib/ui/assets/fonts/Roboto/Roboto-BoldItalic.ttf
          weight: 700
          style: italic
        - asset: lib/ui/assets/fonts/Roboto/Roboto-Black.ttf
          weight: 900
          style: normal
        - asset: lib/ui/assets/fonts/Roboto/Roboto-BlackItalic.ttf
          weight: 900
          style: italic

msix_config:
  publisher: C = country, ST = province, O = companyName, OU = Development, CN = companyName
  display_name: applicationName
  publisher_display_name: companyName
  identity_name: identity
  logo_path: lib/ui/assets/logo/logo.png

[aloncatz]

I have the same problem. Found a workaround.

1. Create a test certificate with the Publisher that you need as a Subject
   New-SelfSignedCertificate -Type Custom -Subject "..." -KeyUsage DigitalSignature -FriendlyName "My Test Certificate" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")

2. Export the certificate to a pfx with some password (I used Windows "Manage User Certificates")

3. Setup msix_config to sign with the test certificate

4. Sign the generated msix package again with the real certificate

The most trouble I had was figuring out the exact Subject of the real certificate. I had to download it from Azuer Keyvault, import it into Windows Certificate store and then use this powerhsell script to get the subject:
(Get-Item Cert:\CurrentUser\My\<certthumbnail>).Subject

[Sylfwood]

@YehudaKremer I have the same issue and the fix is simple. I've opened a pull request. Is it possible for you to have a look? It would be really appreciated.

[YehudaKremer]

@Sylfwood Thank you 👍

Publish in version 3.16.2.

[Sylfwood]

@YehudaKremer Sorry to bother, but the new release does not seem to contain the fix. Or maybe I missed to fix another part in your code with the last pull request ?

I still have a similar error with 3.16.2, but I'm not sure it is the same of the 3.16.1. Maybe it's because of the manifest validation, and the Microsoft schema does not allow the ST key ?

MakeAppx : error: Failure at appxFactory->CreateManifestReader(manifestStream, &manifestReader) - 0x80080204 - The specified package format is not valid: The package manifest is not valid.

MakeAppx : error: Error info: /*[local-name()="Package" and namespace-uri()="http://schemas.microsoft.com/appx/manifest/foundation/windows10"]/*[local-name()="Identity" and namespace-uri()="http://schemas.microsoft.com/appx/manifest/foundation/windows10"][1]/@Publisher

'C=country, ST=province, O=companyName, OU=Development, CN=companyName' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'.

I've cleaned the cache, and I can see that the 3.16.2 version is used:

Unhandled exception:

#0      ProcessResultExtensions.exitOnError (package:msix/src/method_extensions.dart:61:7)
#1      MakeAppx.pack (package:msix/src/makeappx.dart:28:9)
<asynchronous suspension>
#2      Msix._packMsixFiles (package:msix/msix.dart:137:5)
<asynchronous suspension>
#3      Msix._createMsix (package:msix/msix.dart:103:5)
<asynchronous suspension>
#4      Msix.create (package:msix/msix.dart:59:5)
<asynchronous suspension>
#5      main (file:///C:/hostedtoolcache/windows/flutter/stable-3.13.0-x64/.pub-cache/hosted/pub.dev/msix-3.16.2/bin/create.dart:4:3)
<asynchronous suspension>

It is possible for you to take a look at it?

Thanks a lot

[Sylfwood]

Hum... It seems this is a limitation of Microsoft... Not sure we can do anything about that. I will try the workaround.

Publisher name:

    Required and corresponds to package that describes the publisher information.
    The Publisher attribute must match the publisher subject information of the certificate used to sign a package.
    This field accepts a string between 1 and 8192 characters in length that fits the regular expression of a distinguished name : "(CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")(, ((CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")))*".