Code signatures of Appx packages via SignTool.exe fail with error code 0x8007000b (ERROR_BAD_FORMAT)

Assume the following scenario:

  • An Appx package is to be signed.
  • For this purpose the SignTool.exe used.
  • The code signing certificate used was recently renewed.
  • The signing process with the new code signing certificate fails with the following error message:
"Error: SignerSign() failed." (-2147024885/0x8007000b) 

Troubleshooting

Very helpful is the -error parameter of certutil to resolve the error code:

certutil -error 0x8007000b

This error code is also documented at Microsoft in the article about signing Appx packages.

More commonly, the error is 0x8007000b (ERROR_BAD_FORMAT).

Further information can be found in the Event Viewer under "Applications and Services Logs" - "Microsoft" - "Windows" - "AppxPackagingOM" - "Microsoft-Windows-AppxPackaging/Operational".

In the specific case, the following event was found there:

error 0x8007000B: The app manifest publisher name (CN=ADCS Labor Code Signing Service, OU=PKI, O=ADCS Labor, C=DE) must match the subject name of the signing certificate (CN=ADCS Labor Code Signing Service, O=ADCS Labor, OU=PKI, C=DE, E=pki@adcslabor.de).

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The reason is that the subject string of the code signing certificate to be used in the Appx Manifesto is stored. If the subject string stored there does not match the signature certificate, the error described here occurs.

For comparison the two subject strings:

  • CN=ADCS Labor Code Signing Service, OU=PKI, O=ADCS Laboratory, C=DE
  • CN=ADCS Labor Code Signing Service, O=ADCS Laboratory, OU=PKI, C=DE, E=pki@adcslabor.de

There are two ways to solve the problem:

  • The subject string (manifest publisher name) can be customized in the Appx manifest to match that of the signing certificate.
  • A new code signing certificate can be issued which has the appropriate subject string. If the Order of the Relative Distinguished Names (RDNs) on the certification authority changedIn this case, it must also be adjusted, since only the entire comma-separated subject string is compared and not the individual RDNs. Appx manifest and signature certificate must therefore not only have the exact same Relative Distinguished Names (RDNs), these must also be in the exact same order.

Related links:

External sources

One thought on “Codesignaturen von Appx Paketen per SignTool.exe schlagen fehl mit Fehlercode 0x8007000b (ERROR_BAD_FORMAT)”

Comments are closed.

en_USEnglish