locked
[W8.1]Is a code signing certificate required for submitting an app to Windows Store? RRS feed

  • Question

  • We are trying to update our Windows apps. However, our code signing certificate expired. After ordered a new certificate, we still cannot submit the app to the Store. When using Visual Studio 2015 to create app package, it reports the following error: "

    SignTool Error: An unexpected internal error has occurred.

    5>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(3919,5): error APPX1204: "

    We have tried many things, and contacted the certificate provider (Digicert) and Microsoft support. The problem has not yet been solved.

    The Signtool problem seems to be caused by Publisher ID does not match. In our developer account, it is:

              CN=3D5A894B-F6E2-4472-BAA1-A0DBXXXXXXXX.<o:p></o:p>

     In the new code signing certificate, it is:

             CN="Drive Headquarters, Inc.", O="Drive Headquarters, Inc.", L=San Ramon, S=California, C=US<o:p></o:p>

    The MS support staff suggested if we get a new code signing certificate with matching info, it should work fine. He also mentioned that a certificate is not needed as the app will be reviewed by Microsoft and signed by Microsoft before published to the Store.  However, in Visual Studio 2015, it seems we must have a code signing certificate to build an app for the Store. How can we remove the certificate requirement?  Note the app was originally designed for Windows 8, and has been updated to Windows 8.1. It has NOT been converted to Universal App.

    Any help is greatly appreciated. Thanks.


    DriveHQ


    Monday, October 17, 2016 6:55 PM

Answers

  • You don't need a custom signing cert to upload to the store. Ultimately the store will sign the app for you.

    Make sure your app is associated with the store so that it has matching publisher and app IDs, then use the default test certificate that VS generates rather than using your own.

    You'll need your own trustable certificate if you're going to side-load, in which case you'll need to make sure the ID matches the publisher in the appxmanifest. If you choose the certificate from the manifest designers' Packaging tab then it should pull the publisher name from the cert.

    Monday, October 17, 2016 7:49 PM

All replies

  • You don't need a custom signing cert to upload to the store. Ultimately the store will sign the app for you.

    Make sure your app is associated with the store so that it has matching publisher and app IDs, then use the default test certificate that VS generates rather than using your own.

    You'll need your own trustable certificate if you're going to side-load, in which case you'll need to make sure the ID matches the publisher in the appxmanifest. If you choose the certificate from the manifest designers' Packaging tab then it should pull the publisher name from the cert.

    Monday, October 17, 2016 7:49 PM
  • upgrade Windows SDK to build 14366 if you haven't. That version has a signtool with better error message support than old ones.

    Also check common signtool errors: https://msdn.microsoft.com/windows/uwp/porting/desktop-to-uwp-signing



    Visual C++ MVP


    Monday, October 17, 2016 7:50 PM
  • This is really odd... I followed your instruction and created a test certificate; and the app is associated with an existing app in the Store, and the publisher ID and display name both match. However, it still failed to sign the appx, see the error message below:

    ------------------------------

    5>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(3919,5): error APPX1204: Failed to sign 'E:\DriveHQsrc\Win8\FileManager\pub\FileManager_2.3.450.471_Test\FileManager_2.3.450.471_x86_x64_arm.appxbundle'. SignTool Error: An unexpected internal error has occurred.

    5>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(3919,5): error APPX1204:

    -----------------------

    Note the app was originally designed for Windows 8, and has been upgraded to Windows 8.1 ( no longer supports Win 8.0).


    DriveHQ

    Monday, October 17, 2016 8:45 PM
  • I also tried with the command-line:

    "C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe" sign /fd SHA256 /a /f D:\Work\WindowsMetro\Win8\FileManager\FileManager_TemporaryKey.pfx /p PSWDXXXXXX D:\Work\WindowsMetro\Win8\FileManager\bin\x86\Release\FileManager_2.3.450.460_x86.appx

    It reports the following error message:

    -----------

    Done Adding Additional Store
    SignTool Error: An unexpected internal error has occurred.
    Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

    -----------

    Note the previous app was submitted about 2 or 3 years ago, and used a Symantec (VeriSign) code signing certificate. The new code signing certificate is from Digicert (which is listed in MS support page as a root CA). Digicert does not want to change the Publisher ID to a GUID.

    Is this problem related with Windows 8.1 App?


    DriveHQ

    Monday, October 17, 2016 8:54 PM
  • Thank you for your help. I have found the problem. The test certificate works fine. The reason it did not work is because I forgot to update the package file name...

    DriveHQ

    Monday, October 17, 2016 11:55 PM