Generating a Certificate for signing Universal Windows Platform (UWP) Apps

2
votes

I'm trying to generate a certificate suited for signing a Microsoft Universal Windows Platform (UWP) application. I have one certificate that works that I self-signed and one issued by my company's internal certificate Authority based on a CSR (certificate request) file that I crafted and submitted to them.

To generate the self-signed cert, I used the following powershell command

New-SelfSignedCertificate -Type Custom -Subject "<full certificate DN>" -KeyUsage DigitalSignature -FriendlyName "MyFriendlyName" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")

To generate the cert issued by our internal CA, I created A CSR with the same attributes:

KeyUsage: Digital Signature
ExtendedKeyUsage: CodeSigning (1.3.6.1.5.5.7.3.3)
2048 bit key
algo: AES-SHA256

With most of the other properties defaulted.

As I said, the self-signed cert works, the CA-issued cert will not be accepted by Visual Studio. Here is the error I get when I try to assign the CA-issued cert for signing:

The Manifest Designer could not import the certificate. The certificate you selected is not valid for signing because it is either expired or has another issue. For more information, see http://go.microsoft.com/fwlink/?LinkID=241478.

Edit - Note: CA Root and Intermediate certs are installed on the machines in the appropriate cert stores

Here are the properties of the certificates side-by-side. Is there any way to know what is specifically wrong with the failing certificate? I feel like I've met all the UWP signing requirements.

UPDATE

Things get stranger. These steps work:

  1. Right Click and "Publish" my UWP app from Solution Explorer
  2. Choose not to sign the package at the time of publishing
  3. Sign the package via command line with SignTool.exe, using the proper Thumbprint (SHA) for my CA-Issued certificate, it works!

Here is my SignTool command line:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /v /fd sha256 /sha1 <my CA-issued cert thumbprint> "path-to-my-unsigned.msix"

Output from Signtool with /v (verbose):

The following certificate was selected:
    Issued to: <my org>
    Issued by: <my internal CA name>
    Expires:   Mon Apr 30 11:41:36 2035
    SHA1 hash: <CA-Issued cert hash>

Done Adding Additional Store
Successfully signed: path-to-my-app.msix

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

So the question still stands, why won't Visual Studio accept my CA-issued cert as a valid signing cert even though I can use it to sign manually with SignTool.exe?

END UPDATE

enter image description here

1
uwpcertificatecode-signing
I've replied to you on Microsoft Q&A. Please check that.Roy Li - MSFT
Basic constaint needs to be end entity or missing; otherwise you have a cert for issuing other certs, not for actually signing code. Can't tell if it's missing or not.Peter Torr - MSFT
@Peter Torr - All properties of both certificates are shown. I'll triple check but I'm 99.999% sure that Basic Constraints is missing for the CA-issued certificate. I made sure to capture all certificate properties in my screen shotsMike Marshall
Is there a difference in the certificate store - CSP and CNG? Run certutil -verifystore -user MY {serialNumber} to get output like : Provider = Microsoft Platform Crypto Provider... A lot of applications still have issues with CNG-based certificates...Daniel Fisher lennybacon
result: "Provider = Microsoft Software Key Storage Provider"Mike Marshall

1 Answers

0
votes

I own this process for UWP - I suspect Peter's is right and you're running into the chain validation we're doing internally, and not passing muster for some reason.

Since our internal process is tied to VS Feedback, I'll follow up with you there.

I've created a task for us to give a better error message when we deny a cert for non-obvious reasons.