Trusted Certificate Problem #1271
Description
To Whom It May Concern:
I finally managed to successfully upload my app to the Packages section of my Individual Microsoft Developers Account.
I used the following command line to convert my MSI file over to a UWP app:
DesktopAppConverter.exe -Installer C:\Installer6\EditRight.msi -Destination C:\Output6 -PackageName “9994SeanKennethMaxted.EditRight” -PackageDisplayName “EditRight” -AppId “EditRight” -AppDisplayName “EditRight” -Publisher "CN=00688388-CE34-4EE4-AE8C-3E9CFF0555E2" -PackagePublisherDisplayName “Sean Kenneth Maxted” -Version 0.0.0.0 -MakeAppx
However, to prevent the package validation errors that I was receiving with previous submissions, I had to identify the publisher as CN=00688388-CE34-4EE4-AE8C-3E9CFF0555E2 and NOT as CN=Sean Kenneth Maxted.
This meant that I could NOT sign my app with the trusted certificate issued by Digicert under my full legal name of “Sean Kenneth Maxted”.
Digicert informs me that it is NOT possible to issue a trusted certificate for an arbitrary number such as, “CN=00688388-CE34-4EE4-AE8C-3E9CFF0555E2".
The problem is that my app will NOT complete the installation process unless it is signed by a trusted certificate.
I was able to use the procedure below to apply a trusted certificate to my app.
- makecert.exe -r -h 0 -n "CN=00688388-CE34-4EE4-AE8C-3E9CFF0555E2" -eku 1.3.6.1.5.5.7.3.3 -pe -sv test.pvk test.cer
Note: This command line is used to generate a self signed certificate.
- pvk2pfx.exe -pvk test.pvk -spc test.cer -pfx test.pfx
Note: This command line creates a pfx using the files generated by the makecert executable.
- Certutil -addStore TrustedPeople test.cer
Note: This command adds the self signed cert to my trust store:
- signtool.exe sign -f test.pfx -fd SHA256 –v 9994SeanKennethMaxted.EditRight.appx
Note: This command line signs the UWP app with a trusted certificate.
Unfortunately, the trusted certificate created above ONLY works on the tablet that is was created on. Any attempt to install my app on another tablet results in the following error, “Either a new certificate must be installed for this app package or you need a new app package with trusted certificates. Your system administrator or the app developer can help. A certificate chain was processed but terminated in a root certificate that isn’t trusted (0x800B0109)”.
Question #1: Does Microsoft add a trusted certificate during the manual certification process performed on each app submitted to the Microsoft Store?
Question #2: If Microsoft does NOT add a trusted certificate during the manual certification process then how do I go about getting and/or applying a trusted certificate to my App given that the Publisher Name is an arbitrary number such as “CN=00688388-CE34-4EE4-AE8C-3E9CFF0555E2"?
Even after successfully uploading my app to the Packages section of my Individual Microsoft Developers Account, I still get the following validation warning message, “Package acceptance validation warning: The following restricted capabilities require approval before you can use them in your app: runFullTrust.”
Question #3: What does the validation warning message mean?
Question #4: What steps or procedure do I have to implement in order to resolve the above validation warning message?
Question #5: What are the consequences (if any) of NOT resolving the above validation warning?
Thanks,
Sean.