Search code examples
msbuildpfxappxappxmanifest

msbuild fails on Certificate could not be opened, network password not correct

I am trying to create a signed appx package as a test using a purchased code signing certificate. I cannot get it to build without installing the cert locally first (which I don't want to do given this will be done in a CI/CD environment).

I am executing the following on a solution containing an empty WPF project and WAP project.

msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64" 
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never 
/p:AppxPackageSigningEnabled=true /p:PackageCertificateThumbprint=$myThumbprint 
/p:PackageCertificateKeyFile=$myCert /p:PackageCertificatePassword=$myPassword

error: Certificate could not be opened error: The specified network password is not correct

I have confirmed the password of $myPassword and thumbprint is $myThumprint by importing the cert and verifying it. I have also tried assigning "" to $myThumprint. I have confirmed the location of $myCert

It will build if I assign AppxPackageSigningEnable=false, but it will be unusable as it is not signed.

In appxmanifest, I have assigned Identity/Publisher to the publisher id of the cert (e.g., Publisher="CN=John Doe, O=Acme, L=TheMoon, S=OuterSpace, C=Universe") and Properties/PublisherDisplayName = the cert's CN (=John Doe)

I have tried exporting the pfx into a cer and using that, but that fails on the cert is not usable as it doesn't include a private key.

I have tried exporting the pfx into a base64 string and then creating a pfx from that - still fails (desperate measures).

Any tips greatly appreciated!

Solution

  • I read that a password protected cert needs to be stored in a cert store for msbuild to use it. Therefore, I ignored the cert on build and added it later by doing the following:

    1. Remove all signing parameters from msbuild as follows
    msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64" 
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never 
/p:AppxPackageSigningEnabled=false
    1. Given the name of the appx will change based on version and I couldn't find a way to pass wildcards to the SignTool, I used this to grab the built appx:
    $Packages_2Sign = (Get-ChildItem -Recurse -Path $currentDirectory -Include *.appx).fullname
    1. Finally, use the SignTool to sign the appx built from the prior step
    SignTool sign /fd sha256 /a 
/f $certificatePath /p $certificatePwd $Packages_2Sign