error while singning msix installer

[tonyhart7]

ℹ️ Info

MSIX latest

found this error, error while signing msix installer

[❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚] 90% signing..                                     
The following certificate was selected:
    Issued to: tonyhart
    Issued by: tonyhart
    Expires:   Tue Oct 04 19:04:06 2022
    SHA1 hash: A4420D259C6054AEA0F84EB79BC3DDDE58A56FD6

Done Adding Additional Store

Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1


SignTool Error: The specified timestamp server either could not be reached 
or
returned an invalid response.
SignTool Error: An error occurred while attempting to sign: C:\Development\flutter projects\bus_ticket\admin\dekstop\bus_system_admin/build/windows/runner/Release\bus_system_admin.msix

msix_config:
display_name: Arsyad Bus Ticket Admin
publisher_display_name: tonyhart.dev
identity_name: arsyad.admin.ticketapp
msix_version: 1.0.0.0
certificate_path: C:\Users\Tony Hart\Pictures\bus ticket arsyad\cert key\CERTIFICATE.pfx
certificate_password: 12345
publisher: CN=arsyad, O=arsyad, L=glenmore, S=java, C=ID
logo_path: C:\Users\Tony Hart\Pictures\bus ticket arsyad\logo arsyad.png
start_menu_icon_path: C:\Users\Tony Hart\Pictures\bus ticket arsyad\logo arsyad.png
tile_icon_path: C:\Users\Tony Hart\Pictures\bus ticket arsyad\logo arsyad.png
icons_background_color: "#ffffff"
architecture: x64
capabilities: 'internetClient'

[YehudaKremer]

Hello @tonyhart7
this package uses http://timestamp.digicert.com for sign with timestamp.

i try and fail to reproduce this error,
maybe this timestamp server was done for some time and now is back,
can you please try again to is if its working for you now

[tonyhart7]

Hello @tonyhart7 this package uses http://timestamp.digicert.com for sign with timestamp.

i try and fail to reproduce this error, maybe this timestamp server was done for some time and now is back, can you please try again to is if its working for you now

its working now, change my internet provider to another and its works again

but still I cant sign in with my own cert , the testing cert is success
can you provide example value of default cert ?

[tonyhart7]

I manage to match all my cert and given info in yaml file but still cant sign msix
I know this happen because the given info and cert info is dnt match

but I just type arsyad into all field and still throws error

[YehudaKremer]

can you please copy paste the error here

[YehudaKremer]

i publish new version (2.4.0) that automatically sign the .msix file for you,
also update the documentation.

[marcov-dart]

I have the same problem as described tonyhart7 and I am using msix 2.4.2.

I created the pfx using OpenSSL 1.1.1f:

openssl genrsa -out test5_cs.key 2048
openssl req -new -key test5_cs.key -out test5_cs.csr -subj '/CN=Testing/O=Testing Corporation/S=Some-State/C=NL'

This command comes back with: req: Skipping unknown attribute "S".

I looked it up and the proper abreviation of stateOrProvinceName is ST not S. This is weird. It looks like Microsoft is going non standard and is using S instead of ST?

Anyway, I tried leaving it out entirely:

openssl req -new -key test5_cs.key -out test5_cs.csr -subj '/CN=Testing/O=Testing Corporation/C=NL'
openssl x509 -in test5_cs.csr -out test5_cs.crt -req -signkey test5_cs.key -days 10000
openssl pkcs12 -export -out test5_cs.pfx -inkey test5_cs.key -in test5_cs.crt

In the pubspec.yaml:

certificate_path: C:/.../test5_cs.pfx
certificate_password: ...
publisher: CN=Testing, O=Testing Corporation, C=NL

Then run flutter pub run msix:create and the error message appears:

The following certificate was selected:
Issued to: Testing
Issued by: Testing
Expires: Fri Mar 12 06:27:50 2049
SHA1 hash: 25236B1A876330D77BCFF9EA1E61824DE4E459AC

Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

SignTool Error: An unexpected internal error has occurred.

Please note: The value of Publisher should be in one line and with commas, example:
CN=Msix Testing, O=Msix Testing Corporation, S=Some-State, C=US

[YehudaKremer]

hello @marcov-dart
from version 2.4.0 you don't must to set certificate,
delete certificate_path, certificate_password, publisher and try again

[marcov-dart]

Thanks, but how then do I specify what certificate to use?

Because now it says: installing test certificate. And it is using the test certificate to sign.

[YehudaKremer]

its automatic using build in test certificate,
this test certificate is good for local installation and testing.

if you will publish to the windows store, your app will signup automatic by the windows store

[marcov-dart]

Yes, I get that, but I am not going throw the Windows store, I need a msix package with a a proper certificate. So I need to create a .csr that works. I am currently self-signing it to test this before spending hunderds of euro's and having it signed by an actual certificate authority.
Right now it looks like it won't work. I can make a csr. I can send it to a certificate authority. But then it looks like the signing is going to fail.

[YehudaKremer]

i see,
can you send me your test certificate with password, and i will try it

[marcov-dart]

Sure, as it is only a test certificate... The export password is 1234

test5_cs.zip

[YehudaKremer]

try same value but different order:
publisher: C=NL, O=Testing Corporation, CN=Testing

[marcov-dart]

Yes, thanks!
That worked.

I actually used the order that

openssl x509 -in test5_cs.csr -out test5_cs.crt -req -signkey test5_cs.key -days 10000
reports back:
Signature ok
subject=CN = Testing, O = Testing Corporation, C = NL

So apparently openssl reports this back in reverse order...

[marcov-dart]

Top notch support by the way! Many thanks.

[YehudaKremer]

you welcome 👍

[YehudaKremer]

@marcov-dart hey again :)

i publish new version (2.5.0)
the "publisher" configuration field is now deprecate, it recognize automatically.

please check the updated documentation

[sensuikan1973]

If I want to specify not "certificate_path/certificate_password" but "publisher" directory, is that impossible?
as long as I see d76d886, that is impossible...
my question is, Is there an option to keep "publisher" config?

[YehudaKremer]

hello @sensuikan1973

from 2.5.0 'publisher' is recognize automatic by looking in your certificate details,
why keep 'publisher'?

[sensuikan1973]

when I publish to windows store signed by Microsoft, I don't have to specify certificate info, I have to specify "publisher".
(I'm sorry if I'm saying the wrong thing due to lack of study.)

[YehudaKremer]

@sensuikan1973 You're absolutely right I forgot to leave it for when publishing to windows store.
i publish new version (2.5.2) with the 'publisher', and update the CHANGELOG

thank you!! ❤️

[sensuikan1973]

Thank you very much !! ❤️

[marcov-dart]

@marcov-dart hey again :)

i publish new version (2.5.0) the "publisher" configuration field is now deprecate, it recognize automatically.

Hey, again! An update: So after the success with the self-signed certificate yesterday I went ahead and ordered the real certificate using the same csr. I got back a zipfile containing the .crt and a .ca-bundle file containing intermediate certificates.
I was able to create the needed .pfx file using:

openssl pkcs12 -export -out codesigning.pfx -inkey xxx.key -in xxx.crt -certfile xxx.ca-bundle

I updated msix to 2.5.3, removed the publisher field and tried flutter pub run msix:create.
This failed with:

The following certificate was selected:
Issued to: xxxx
Issued by: Sectigo Public Code Signing CA R36
Expires: xxxx
SHA1 hash: xxxx

Done Adding Additional Store

Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

SignTool Error: An unexpected internal error has occurred

I tried getting it to work by inspecting the subject in the .pfx and adding back the publisher field. This failed with the same error. It looks like the publisher field gets ignored unless you use -store.

Fortunately, I had done a git clone yesterday and I tried the version that worked for me for the self-signed certificate yesterday. And that version actually worked for me with the previously added publisher field.

I will update my local copy and debug a bit, and see if I can spot what is going wrong in version 2.5.3.

[marcov-dart]

Ok, so, in 2.5.3, the AppxManifest.xml contains the following:

Identity Name="xxx" Version="1.0.0.0"
Publisher="CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB" ProcessorArchitecture="x64"

Which is the subject of one of the intermediate certificates in the chain.

Maybe I did something wrong creating the pfx file? I should not include the intermediate certificates? Although I feel pretty certain the intermediates are necessary.

In any case that is the origin of the problem.

Maybe a solution here could be to just have CN=xxx in the publisher configuration in combination with certificate_path. And use the CN= to find the correct certificate in the pfx.

[YehudaKremer]

Hello @marcov-dart

Thank you for the investigation 👍
you're probably right.

From 2.5.0, i'm using the command certutil -dump -p yourpassword "your_cert.pfx" to get the certificate "Subject" (its the "publisher" in AppxManifest.xml).
Probably some certificates like yours have different output ('intermediate certificates' like your said) and i need to address this

i publish 2.5.5 that print the certificate details,
can you please try again with this version and paste here the output (omit please sensitive info)
thank you for your time and effort

[marcov-dart]

Ok, so version 2.5.5 works!

Output:

Element 1:
Serial Number: 48fc93b46055948d36a7c98a89d69416
Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB
NotBefore: 25-5-2021 02:00
NotAfter: 1-1-2029 01:59
Subject: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
Non-root Certificate
Cert Hash(sha1): 329b78a5c9ebc2043242de90ce1b7c6b1ba6c692
---------------- End Nesting Level 1 ----------------
No key provider information
Kan het certificaat en de persoonlijke sleutel voor ontsleuteling niet vinden.

================ Certificate 2 ================
================ Begin Nesting Level 1 ================
Element 2:
Serial Number: 621d6d0c52019e3b9079152089211c0a
Issuer: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
NotBefore: 22-3-2021 02:00
NotAfter: 22-3-2036 01:59
Subject: CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Non-root Certificate
Cert Hash(sha1): 0bc5e76773d2e44fc9903d4dfefe451553bbec4a
---------------- End Nesting Level 1 ----------------
No key provider information
Kan het certificaat en de persoonlijke sleutel voor ontsleuteling niet vinden.

================ Certificate 3 ================
================ Begin Nesting Level 1 ================
Element 3:
Serial Number: XXX
Issuer: CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
NotBefore: 26-10-2021 02:00
NotAfter: 26-10-2024 01:59
Subject: CN=XXX, O=XXX, S=XX, C=XX
Non-root Certificate
Cert Hash(sha1): XXX
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -dump command completed successfully.

subjectRow: Subject: CN=XXX, O=XXX, S=XX, C=XX
config.publisher: CN=XXX, O=XXX, S=XXX, C=XX
☑ getting certificate publisher
☑ generate appx manifest
☑ generate PRI file
☑ packing
☑ cleaning temporary files
☑ installing certificate
☑ signing
[❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚] 100%
Msix Installer Created:

[YehudaKremer]

@marcov-dart We did it 👍

The problem was like you said, i toke the first certificate in the chain,
the fix is to take the last one.
i also added special error logs if this fix will not work for different situations in the future..

published new version 2.6.0 that clean output certificate logs and more

[YehudaKremer]

hey @marcov-dart

i publish new version 2.6.2 to fix #61,
please use 2.6.2 and update if its working for you

[marcov-dart]

hey @marcov-dart

i publish new version 2.6.2 to fix #61, please use 2.6.2 and update if its working for you

Hello @YehudaKremer, yes, 2.6.2 is working for me!

[YehudaKremer]

Happy to hear that 👍
closing this issue