electron-builder Appx code signing fails due to mangled Publisher string from app-builder BloodyMsString #4931
Description
- Electron Version:
8.2.5 - Electron Type (current, beta, nightly): current
electron-builderversion:22.6.0- Target: Windows, Appx
Here's my package.json:
{
...
"scripts": {
"dist": "electron-builder"
},
"build": {
"appId": "com.foo.Ghost",
"win": {
"target": "appx",
"certificateFile": "code_signing_cert.pfx",
"certificatePassword": "",
...
},
"appx": {
"publisher": "CN=Bob Doe, O=Bob Doe, STREET=123 Fake Street, L=London, S=London, PostalCode=A10 B42, C=GB",
...
}
}
}
When I run npm run dist, I get:
> ghost@1.2.3 dist C:\Users\bob\ghost\windows
> electron-builder
??? electron-builder version=22.6.0 os=10.0.18363
??? loaded configuration file=package.json ("build" field)
??? packaging platform=win32 arch=x64 electron=8.2.5 appOutDir=dist\win-unpacked
??? empty password will be used for code signing reason=CSC_KEY_PASSWORD is not defined
??? building target=AppX arch=x64 file=dist\ghost 1.2.3.appx
??? Exit code: 1. Command failed: C:\Users\bob\AppData\Local\electron-builder\Cache\winCodeSign\winCodeSign-2.6.0\windows-10\x64\makeappx.exe pack /o /f C:\Users\bob\ghost\windows\dist\__appx-x64\mapping.txt /p f752f546c70b4ddfb91866a64ac91f3b56a77ab121ff76d2e85b3cc2bcc8683d (sha256 hash) 1.2.3.appx
Microsoft (R) MakeAppx Tool
Copyright (C) 2013 Microsoft. All rights reserved.
The path (/p) parameter is: "\\?\C:\Users\bob\ghost\windows\dist\ghost 1.2.3.appx"
The mapping file (/f) parameter is: "C:\Users\bob\ghost\windows\dist\__appx-x64\mapping.txt"
Reading mapping file "C:\Users\bob\ghost\windows\dist\__appx-x64\mapping.txt"
Packing 76 file(s) listed in "C:\Users\bob\ghost\windows\dist\__appx-x64\mapping.txt" (mapping file) to "\\?\C:\Users\bob\ghost\windows\dist\ghost 1.2.3.appx" (output file name).
Memory limit defaulting to 3193556992 bytes.
Using "C:\Users\bob\ghost\windows\dist\__appx-x64\AppxManifest.xml" as the manifest for the package.
MakeAppx : error: Error info: /*[local-name()="Package" and namespace-uri()="http://schemas.microsoft.com/appx/manifest/foundation/windows10"]/*[local-name()="Identity" and namespace-uri()="http://schemas.microsoft.com/appx/manifest/foundation/windows10"][1]/@Publisher
'CN=Bob Doe,O=Bob Doe,POSTALCODE=A10 B42,STREET=123 Fake Street,L=London,ST=London,C=GB' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))+))=(([^,+="<>#;])+|".*")))*'.
The attribute 'Publisher' with value 'CN=Bob Doe,O=Bob Doe,POSTALCODE=A10 B42,STREET=123 Fake Street,L=London,ST=London,C=GB' failed to parse.
MakeAppx : error: Package creation failed.
MakeAppx : error: 0x80080204 - The specified package format is not valid: The package manifest is not valid.
The important line here is this error originating from makeappx.exe:
'CN=Bob Doe,O=Bob Doe,POSTALCODE=A10 B42,STREET=123 Fake Street,L=London,ST=London,C=GB' violates pattern constraint of '(CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID.(0|[1-9][0-9])(.(0|[1-9][0-9]))+))=(([^,+="<>#;])+|".")(, ((CN|L|O|OU|E|C|S|STREET|T|G|I|SN|DC|SERIALNUMBER|Description|PostalCode|POBox|Phone|X21Address|dnQualifier|(OID.(0|[1-9][0-9])(.(0|[1-9][0-9]))+))=(([^,+="<>#;])+|".")))*'.
It's not wrong: the publisher string doesn't match the regex. It fails in at least two respects:
- The publisher string is using
,as the separator, without any space. The regex appears to demand,as the separator. - The publisher string is using capitalized names. For example, the publisher string has
POSTALCODEwhere the regex appears to demandPostalCode.
makeappx reads the publisher string from C:\Users\bob\ghost\windows\dist\__appx-x64\AppxManifest.xml, which is generated by electron-builder.electron-builder does NOT gets the publisher string from my packagejson.build.appx.publisher. Instead, electron-builder gets the Subject in the certificate file at packagejson.build.win.certificateFile, then transforms it and puts it in the generated AppxManifest.xml. We can inspect the Subject of this certificate with certutil -dump, which shows:
PS C:\Users\bob\ghost\windows> certutil -dump .\code_signing_cert.pfx
Enter PFX password:
... omitting irrelevant lines ...
Subject: CN=Bob Doe, O=Bob Doe, STREET=123 Fake Street, L=London, S=London, PostalCode=A10 B42, C=GB
Note carefully the difference:
# Subject in my certificate file
CN=Bob Doe, O=Bob Doe, STREET=123 Fake Street, L=London, S=London, PostalCode=A10 B42, C=GB
# Subject being passed to makeappx by electron-builder
CN=Bob Doe,O=Bob Doe,POSTALCODE=A10 B42,STREET=123 Fake Street,L=London,ST=London,C=GB
The subject in the certificate, as reported by certutil, does match the regex demanded by makeappx. The mangled subject passed to makeappx does not. So what's going on here?
The mangled name comes from the app-builder package:
util.WriteStringProperty("bloodyMicrosoftSubjectDn", BloodyMsString(firstCert.Subject.ToRDNSequence()), jsonWriter)
This BloodyMsString function being defined here.
The purpose of BloodyMsString appears to be creating the Publisher string for the AppxManifest.xml. Maybe there's a reason for mangling there that I don't understand. But if I manually edit the AppXManifest.xml to have the correct Subject, then run makeappx and signtool manually, everything succeeds.