SignTool Error with .app Files Using New Code Signing Certificate

[ivandjordjevic]

I encountered a problem with signing .app files using signtool.exe after switching to a new code signing certificate. Previously, I used a .pfx file locally, but since transitioning to the new setup, signtool successfully signs .dll and other file types, but fails with .app files.

I am using the Install-NAVSipCryptoProviderFromNavContainer to get the NavSip.dll file but still get the same issue. I've also updated the ContainerHelper library and tried with different versions of SDK.

Scripts used

# Define variables
$containerName = "dev2"
$signtoolPath = "C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x86\signtool.exe"
$timestampUrl = "http://ts.ssl.com"
$certThumbprint = "[CERTIFICATE THUMBRINT]"
$appFilePath = "C:\temp\sign\test.app"

# Step 1: Install the required NAVSipCryptoProvider from the specified container
Install-NAVSipCryptoProviderFromNavContainer -containername $containerName

# Step 2: Use Invoke-Expression to run signtool.exe with the defined variables
Invoke-Expression "& '$signtoolPath' sign /fd sha256 /tr $timestampUrl /td sha256 /sha1 $certThumbprint '$appFilePath'"

Full output of scripts

Copy SIP crypto provider from container dev2
Copy from container dev2 (C:\Windows\System32\NavSip.dll) to C:\Windows\System32\NavSip.dll
Copy from container dev2 (C:\Windows\SysWow64\NavSip.dll) to C:\Windows\SysWow64\NavSip.dll
Cannot find path 'C:\Windows\SysWow64\NavSip.dll' because it does not exist.

Container Free Physical Memory: 15.4Gb
Disk C: Free 121Gb from 127Gb

Services in container dev2:
C:\Windows\SysWow64\NavSip.dll doesn't exist.
C:\Windows\System32\NavSip.dll successfully registered.
Done Adding Additional Store

Number of errors: 1

signtool.exe : SignTool Error: This file format cannot be signed because it is not recognized.
At line:1 char:1
+ & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x86\signto ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (SignTool Error:...not recognized.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
SignTool Error: An error occurred while attempting to sign: C:\temp\sign\test.app
...

The dev2 container is using insider version BC 24.6.24915.0.

[ivandjordjevic]

This issue is similar to #3089 but I don't see any follow-up or resolution there

[freddydk]

You should instead use dotnet sign to sign your app (like we do in AL-Go for GitHub).

Installing dotnet sign like here: https://github.com/microsoft/AL-Go/blob/e5f2df3b796102c8ef4b018e797550e974b5554a/Actions/Sign/Sign.psm1#L7

and signing like this: https://github.com/microsoft/AL-Go/blob/e5f2df3b796102c8ef4b018e797550e974b5554a/Actions/Sign/Sign.psm1#L60

The dotnet sign tool automatically gets the NAVSip from a nuget package

[ivandjordjevic]

@freddydk - I don't think we have that option of signing by using the certificates from Azure Key Vault with SSL.com after our renewal:
https://www.ssl.com/how-to/code-signing-with-azure-key-vault/

Their recommendation for .app files is to use signtool.exe once the Business Central is installed. However, even with both BC installed and copied NavSip.dll using Install-NAVSipCryptoProviderFromNavContainer, I'm still getting the '.app format is not recognized'.
https://www.ssl.com/how-to/automate-ev-code-signing-with-signtool-or-certutil-esigner/#ftoc-heading-28

[freddydk]

If you have the certificate in Azure KeyVault - you can use dotnet sign.
You can also use signtool - but none of these options are (or will be) supported from BcContainerHelper.