UWP appx package Signtool "Error: SignerSign() failed." (-2147024885/0x8007000b)

Question

EDIT

Event log error was this:

    error 0x8007000B: The app manifest publisher name (CN=...) 
must match the subject name of the signing certificate 
(CN={19BE29DF-4812-4F2E-8FC1-A138B146946A}).

The command below now seems to work. So either user error on my part that I cannot identify or something hinky with the state of machine when I was seeing this. That guid associated with the signing cert in the event log message is not what the cert shows in the Certificate Manager snap-in, which is weird.

Original Question

I am attempting to sign a UWP appx package that was generated using MakeAppx.exe. The pfx is a developer code signing certificate generated with these commands from https://msdn.microsoft.com/windows/uwp/porting/desktop-to-uwp-manual-conversion.

C:\> MakeCert.exe -r -h 0 -n "CN=<publisher_name>" -eku 1.3.6.1.5.5.7.3.3 -pe -sv <my.pvk> <my.cer>
C:\> pvk2pfx.exe -pvk <my.pvk> -spc <my.cer> -pfx <my.pfx>

The private key is in my trusted root cert store and worked when I generated an appx from an installer using the Desktop App Converter.

The command line I am using is:

signtool.exe sign -f <path to my pfx file> -fd SHA256 -v .\FishTank.appx

but SignTool is erroring with this:

The following certificate was selected:
    Issued to: ...
    Issued by: ...
    Expires:   Sat Dec 31 18:59:59 2039
    SHA1 hash: ...

Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

The certificate publisher matches what is in the appmanifest.xml

<?xml version="1.0" encoding="utf-8"?>
<Package
   xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
   xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
   xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">
  <Identity Name="..."
    ProcessorArchitecture="x64"
    Publisher="CN=..."
    Version="1.1.0.0" />
  <Properties>
    <DisplayName>Fish Tank</DisplayName>
    <PublisherDisplayName>Reserved</PublisherDisplayName>
    <Description>Some fish. Swimming around on your screen.</Description>
    <Logo>StoreLogo.png</Logo>
  </Properties>
  <Resources>
    <Resource Language="en-us" />
  </Resources>
  <Dependencies>
    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.14316.0" MaxVersionTested="10.0.14316.0" />
  </Dependencies>
  <Capabilities>
    <rescap:Capability Name="runFullTrust"/>
  </Capabilities>
  <Applications>
    <Application Id="FishTank" Executable="FishTank.exe" EntryPoint="Windows.FullTrustApplication">
      <uap:VisualElements
       BackgroundColor="#464646"
       DisplayName="Fish Tank"
       Square150x150Logo="Square150x150Logo.png"
       Square44x44Logo="Square44x44Logo.png"
       Description="Some fish. Swimming around on your screen." />
    </Application>
  </Applications>
</Package>

Answer 1

There is an easy answer to this problem. When SignTool fails with error 0x8007000b, open Windows EventViewer and navigate to Applications and Services Logs -> Microsoft -> Windows -> AppxPackagingOM -> Microsoft-Windows-AppxPackaging/Operational. Then, double-click on the error event for more detail. The popup error message shows you the publisher name as required by the certificate, contrasted with the publisher name entered in the manifest of your app. Copy and paste the dispayed certificate publisher name into your app manifest (the CN= field); rebuild and republish, and SignTool should work. In my case, I had misunderstood what was meant by "publisher name". I thought it meant literally just the name of the publisher, whereas it needed a text string containing a list of five defining fields for the certificate, including fields for address and country code.

Answer 2

The MakeCert /n argument has to be the full Publisher string from your xml.

Answer 3

Just like answered here (though for a different error code) - you have to make sure that the Publisher name (in the AppxManifest.xml file) is the same as the certificate's publisher.

For more information, see here (in the bottom "Remarks" section).