SignTool internal error when trying to repackage an APPX package?

Earlz picture Earlz · Sep 24, 2012 · Viewed 9.5k times · Source

I'm analyzing existing Windows Store applications and modifying them to make sure my company's obfuscator works with them.

I've ran into a bit of a problem doing that though. I can grab an APPX package from the store easily enough(requires Fiddler to get the URL). I can then just use any unzip program to extract the appx to a folder. I can then take the assemblies in the APPX and modify the IL a bit. I then remake and sign the package:

makeappx pack /d "mypackage" /p "mypackage.appx"
signtool sign /fd sha256 /f temporarykey.pfx mypackage.appx

I then get an error with signtool though:

SignTool Error: An unexpected internal error has occured
Error information: "Error: SignerSign() failed." (-2147024885/0x800700b)

And then of course get an error when trying to install it with the standard powerscript file created by Visual Studio for installing/sideloading any APPX package.

Found package: C:\....mypackage.appx 
Error: The package is not digitally signed or its signature is corrupted

I've used this exact process for packages generated from Visual Studio. Are temporary keys tied to a particular package or something? What am I missing? Is this a bug in signtool?

Answer

Earlz picture Earlz · Sep 24, 2012

Apparently, you can't just take any temporary key and sign the APPX with it. In particular the certificate subject lines must match(the "publisher name"). I do not know of a better way of determining what the subject line much actually be. First, try to use signtool and sign the APPX file with any temporary key. Now go to Event Viewer. Then to Applications and Services and then Microsoft and then Windows and then AppxPackaging and finally Microsoft-Windows-AppxPackages/Operational. There should be an error event that just happened from that build. Check it. It should say something like

Error 0x800700B: The app manifest publisher name (CN=random-hex-number) must match the subject name of the signing certificate (CN=MyWrongName)

So, now make sure to hang on to that random-hex-number. That needs to be the subject line of the certificate and is the cause of the error. To generate a working certificate:

makecert.exe mycert.cer -r -n "CN=random-hex-number" -$ individual  -sv private.pkv -pe -cy end
pvk2pfx -pvk private.pkv -spc mycert.cer -pfx mytemporarykey.pfx

Now finally, you should have a temporary key that will work with signtool!

Hopefully this answers serves other people well.