electron-builder: electron builder fails to parse identityName of appx

Hello everyone, here is a bit more of background of how the “Publisher” value in the manifest works:

1. If the AppX package is meant for enterprise or self-made distribution, you can put any value you want in the form of “CN=xyz”. However, the subject of the certificate used to sign the package must match this value.
2. If the AppX package is meant for Store distribution, it must match the publisher value that the Dev Center has assigned to you when you opened the developer account. This value can be found in the “App Identity” page of the Dev Center. In this case, there’s no need to sign the package with any certificate. The Store will take care of signing it with a Microsoft certificate during the submission process.

I hope it helps!

Hello @develar, I confirm that the package uploaded on the Store doesn’t have to be signed. Even if you sign it, the certificate is removed and the package resigned with a Microsoft one during the certification process. However, if I can share my humble opinion, I think you should offer a parameter to opt-in for signing or not, like the Desktop App Converter does. By default, our tool doesn’t sign the package, but if you add the -Sign parameter it will generate a test certificate and sign the package using it. The reason is that if the developer needs to manually install the app without using the Store (for testing it on its own machine or to share with external testers; for enterprise distribution; etc.), in this case the AppX needs to be signed.

Let me know if you have additional questions, I’ll be happy to help 😃

19.33.0 released as latest stable. Please try. After question above will be cleared up, other changes will be maybe done.

I consider our AppX target as amazing 😃 Thanks to Matteo Pagani.

Recreating cert with correct CN solved the issue.

Last step left - verification by MS appx package build with electron-builder. Hope, it will go smoothly. Will update you guys soon.

$ electron-builder create-self-signed-cert -p REMOVED-SENSITIVE-INFO

$ certutil -dump REMOVED-SENSITIVE-INFO.pfx
Enter PFX password:

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: REMOVED-SENSITIVE-INFO
Issuer: CN=REMOVED-SENSITIVE-INFO
 NotBefore: 9/25/2017 16:03
 NotAfter: 1/1/2040 2:59
Subject: CN=REMOVED-SENSITIVE-INFO
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): REMOVED-SENSITIVE-INFO
----------------  End Nesting Level 1  ----------------
  Provider = Microsoft Strong Cryptographic Provider
Signature test passed
CertUtil: -dump command completed successfully.

Successfully signed: C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\Organize My Files-2.1.1.appx

$ time DEBUG=electron-builder electron-builder -w appx
electron-builder 19.30.2
2017-09-25T13:04:58.911Z electron-builder Effective config:
appId: yourappid
directories:
  output: release-builds
appx:
  applicationId: OrganizeMyFiles
  identityName: 1234.REMOVED-SENSITIVE-INFO
  publisher: CN=REMOVED-SENSITIVE-INFO
  publisherDisplayName: REMOVED-SENSITIVE-INFO
mac:
  target:
    - dir
linux:
  target:
    - AppImage
win:
  target:
    - nsis
    - portable
    - appx
  certificateFile: q.pfx
  icon: build/icon.ico

No native production dependencies
Packaging for win32 x64 using electron 1.6.11 to release-builds\win-unpacked
2017-09-25T13:04:59.986Z electron-builder Spawning C:\Users\Username\AppData\Roaming\npm\node_modules\electron-builder\node_modules\7zip-bin-win\x64\7za.exe x -bd C:\Users\Username\AppData\Local\electron\Cache\electron-v1.6.11-win32-x64.zip -aoa -oC:\Users\Username\code\hmm\photon\dist\template-app\release-builds\win-unpacked

7-Zip (a) 17.01 beta (x64) : Copyright (c) 1999-2017 Igor Pavlov : 2017-08-28

Scanning the drive for archives:
1 file, 52284035 bytes (50 MiB)

Extracting archive: C:\Users\Username\AppData\Local\electron\Cache\electron-v1.6.11-win32-x64.zip
--
Path = C:\Users\Username\AppData\Local\electron\Cache\electron-v1.6.11-win32-x64.zip
Type = zip
Physical Size = 52284035

Everything is Ok

Files: 74
Size:       134024085
Compressed: 52284035
2017-09-25T13:05:01.012Z electron-builder 7za.exe (5448) exited with exit code 0
CSC_KEY_PASSWORD is not defined, empty password will be used
2017-09-25T13:05:04.843Z electron-builder No valid cached executable found, old digest: HM7VnBucl9LXMaJtEfhkYGQzA97lg85kxWBq4ACwysdTQyCxlfTBNWzEXHHAnZNQQHnilN5QZzvWeZ3oTL7zgw==, new digest: ufLlNmlf/4f3o1K8wlgIph1VaNTFlMnZZsIDviokwOF4XpmH5NzqAi5m2hijLi6EKnh4gOe6T1FMvQe8o1mWuw==
executable cache: 0s 10ms
2017-09-25T13:05:04.851Z electron-builder Executing C:\Users\Username\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-1.9.0\rcedit.exe C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\win-unpacked\Organize My Files.exe --set-version-string FileDescription Organize My Files --set-version-string ProductName Organize My Files --set-version-string LegalCopyright Copyright © 2017 REMOVED-SENSITIVE-INFO --set-file-version 2.1.1 --set-product-version 2.1.1.0 --set-version-string InternalName Organize My Files --set-version-string OriginalFilename  --set-version-string CompanyName REMOVED-SENSITIVE-INFO --set-icon C:\Users\Username\code\hmm\photon\dist\template-app\build\icon.ico
Signing Organize My Files.exe (certificate file: "q.pfx")
2017-09-25T13:05:05.208Z electron-builder Executing C:\Users\Username\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-1.9.0\windows-10\x64\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f q.pfx /d Organize My Files /du http://REMOVED-SENSITIVE-INFO C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\win-unpacked\Organize My Files.exe
2017-09-25T13:05:05.209Z electron-builder env: {}
2017-09-25T13:05:05.934Z electron-builder Done Adding Additional Store
Successfully signed: C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\win-unpacked\Organize My Files.exe

2017-09-25T13:05:05.935Z electron-builder Executing C:\Users\Username\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-1.9.0\windows-10\x64\signtool.exe sign /tr http://timestamp.comodoca.com/rfc3161 /f q.pfx /fd sha256 /td sha256 /d Organize My Files /du http://REMOVED-SENSITIVE-INFO /as C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\win-unpacked\Organize My Files.exe
2017-09-25T13:05:05.935Z electron-builder env: {}
2017-09-25T13:05:06.620Z electron-builder Done Adding Additional Store
Successfully signed: C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\win-unpacked\Organize My Files.exe

wine&sign: 1s 777ms
2017-09-25T13:05:06.892Z electron-builder Copying C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\win-unpacked to C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\pre-appx-\app
2017-09-25T13:05:07.800Z electron-builder Spawning C:\Users\Username\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-1.9.0\windows-10\x64\makeappx.exe pack /o /d C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\pre-appx- /p 9ecc2069c82f6cd86932cdd89c383c8bfbcfbb14aa2d1344a3cc8084bd8ba5e9 (sha256 hash) My Files-2.1.1.appx
2017-09-25T13:05:16.197Z electron-builder makeappx.exe (1176) exited with exit code 0
Signing Organize My Files-2.1.1.appx (certificate file: "q.pfx")
2017-09-25T13:05:16.203Z electron-builder Executing C:\Users\Username\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-1.9.0\windows-10\x64\signtool.exe sign /tr http://timestamp.comodoca.com/rfc3161 /f q.pfx /fd sha256 /td sha256 /d Organize My Files /du http://REMOVED-SENSITIVE-INFO C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\Organize My Files-2.1.1.appx
2017-09-25T13:05:16.204Z electron-builder env: {}
2017-09-25T13:05:23.279Z electron-builder Done Adding Additional Store
Successfully signed: C:\Users\Username\code\hmm\photon\dist\template-app\release-builds\Organize My Files-2.1.1.appx


real    0m25.254s
user    0m0.030s
sys     0m0.061s

@black-snow I just contacted Matteo Pagani from MS and he kindly responded me with the following information regarding this issue:

I don’t think it’s a bug in MakeAppx, rather in the way how Electron Builder builds the package. Here is a little bit of background. There are two kind of identities described in the manifest file:

One is the Name attribute of the Identity tag, which must match the one assigned by the Dev Center.

One is the Id attribute of the Application tag, which instead can be a free value, it doesn’t have any impact on defining the package identity. This value can’t start with numbers, otherwise it would violate the manifest schema definition.

The issue you see is very common with the Desktop App Converter (the conversion tool provided by Microsoft) because, by default, it assigns to the Application/Id element the same value specified for the Identity/Name one, causing a validation error since, most of the times, the identity assigned by the Dev Center starts instead with numbers (like 12345MatteoPagani.DesktopBridge).

My guess is that Electron builder is doing the same thing. However, the Desktop App Converter solves the issue by providing an optional parameter, called -AppId, so that you can set the Application/Id element with a different value than the one assigned to the Identity/Name element (which, instead, is set using the -PackageName parameter). Unfortunately, I’m not seeing such an option provided by Electron Builder in the documentation: https://www.electron.build/configuration/appx There’s only a generic “identityName” parameter which, probably, is setting the same value in both manifest elements.

I’m afraid that, if this is the case, your only option is to create the package manually as described in the document I have shared, at least until Electron Builder will add an option to manage the two values in a separate way.

I hope it helps!

Wow commit is already here

As respect to clear and detailed answer from MS.

But because it is AppX and Windows is required to test, release will be only after approval from Windows CI server.

As I promised in #2027, just writing in that appx package which was completely build with electron-builder passed MS certification and was approved by Windows Store successfully.

There were few errors and trials first, which were not related to electron-builder, but rather to my lack of knowledge of WS submission rules. Such as missing Privacy Policy and updating the app not internally, but only via Store platform. I made a separate issue for this #2165. But all of the issues with the help of @qmatteoq were resolved successfully.

So in the end everything went smoothly.

Thanks again @black-snow @develar and @qmatteoq for your amazing support!

– P/S I removed sensitive info from all of my previous posts just in case.

Guys, please confirm that and option/by default will be introduced/fixed. I guess we can simply do not require code signing of AppX. If it is true — god, I love MS!

Kudos to Matteo, always great support.

So there’s two different fields that currently receive the same value but actually are different? Should be a quick fix then 😃

I started to think that no need to hate MS anymore but… God, save me. Well, at least MS support is very helpful. In any case I still think that AppX target (that cannot be used as default any time soon (5 years?), thanks to strange MS decision to not support it on Windows 7 and 8) will not became the same source of issues and nightmare of support as our current Windows target is.

Ok… fix will be soon, it is very cool that MS helps us and all critical bugs are fixed in a short term.