Signing an appxbundle using CryptUIWizDigitalSign API

Question

I'm facing a rather interesting issue in regards to Authenticode signing an UWP appxbundle file.

Some background: The client provided us with a SafeNet USB token containing the signing certificate. The private key is not exportable, of course. I want to be able to use this certificate for our automated release builds to sign the package. Unfortunately, the token requires a PIN to be entered once per session, so for example if the build agent reboots, the build will fail. We enabled single login on the token so it's enough to unlock it once a session.

Current state: We can use signtool on the appxbundle without any problems, given the token has been unlocked. This works well enough but breaks as soon as the machine is rebooted or the workstation is locked.

After some searching I managed to find this piece of code. This takes the signing parameters (including the token PIN) and invokes Windows API to sign the target file. I managed to compile this and it worked flawlessly for signing the installation wrapper (EXE file) - the token did not ask for PIN and was unlocked automatically by the API call.

However, when I invoked the same code on the appxbundle file, the call to CryptUIWizDigitalSign failed with error code 0x80080209 APPX_E_INVALID_SIP_CLIENT_DATA. This is a mystery to me because invoking signtool on the same bundle, with the same parameters/certificate works without problem so the certificate should be fully compatible with the package.

Does anyone have experience with something like this? Is there a way to figure out what is the root cause of the error (what is incompatible between my cert and the bundle)?

EDIT 1

In response to a comment:

The code I'm using to call the APIs (taken directly from the aforementioned SO question)

#include <windows.h>
#include <cryptuiapi.h>
#include <iostream>
#include <string>
#pragma comment (lib, "cryptui.lib")

const std::wstring ETOKEN_BASE_CRYPT_PROV_NAME = L"eToken Base Cryptographic Provider";

std::string utf16_to_utf8(const std::wstring& str)
{
    if (str.empty())
    {
        return "";
    }

    auto utf8len = ::WideCharToMultiByte(CP_UTF8, 0, str.data(), str.size(), NULL, 0, NULL, NULL);
    if (utf8len == 0)
    {
        return "";
    }

    std::string utf8Str;
    utf8Str.resize(utf8len);
    ::WideCharToMultiByte(CP_UTF8, 0, str.data(), str.size(), &utf8Str[0], utf8Str.size(), NULL, NULL);

    return utf8Str;
}

struct CryptProvHandle
{
    HCRYPTPROV Handle = NULL;
    CryptProvHandle(HCRYPTPROV handle = NULL) : Handle(handle) {}
    ~CryptProvHandle() { if (Handle) ::CryptReleaseContext(Handle, 0); }
};

HCRYPTPROV token_logon(const std::wstring& containerName, const std::string& tokenPin)
{
    CryptProvHandle cryptProv;
    if (!::CryptAcquireContext(&cryptProv.Handle, containerName.c_str(), ETOKEN_BASE_CRYPT_PROV_NAME.c_str(), PROV_RSA_FULL, CRYPT_SILENT))
    {
        std::wcerr << L"CryptAcquireContext failed, error " << std::hex << std::showbase << ::GetLastError() << L"\n";
        return NULL;
    }

    if (!::CryptSetProvParam(cryptProv.Handle, PP_SIGNATURE_PIN, reinterpret_cast<const BYTE*>(tokenPin.c_str()), 0))
    {
        std::wcerr << L"CryptSetProvParam failed, error " << std::hex << std::showbase << ::GetLastError() << L"\n";
        return NULL;
    }

    auto result = cryptProv.Handle;
    cryptProv.Handle = NULL;
    return result;
}

int wmain(int argc, wchar_t** argv)
{
    if (argc < 6)
    {
        std::wcerr << L"usage: etokensign.exe <certificate file path> <private key container name> <token PIN> <timestamp URL> <path to file to sign>\n";
        return 1;
    }

    const std::wstring certFile = argv[1];
    const std::wstring containerName = argv[2];
    const std::wstring tokenPin = argv[3];
    const std::wstring timestampUrl = argv[4];
    const std::wstring fileToSign = argv[5];

    CryptProvHandle cryptProv = token_logon(containerName, utf16_to_utf8(tokenPin));
    if (!cryptProv.Handle)
    {
        return 1;
    }

    CRYPTUI_WIZ_DIGITAL_SIGN_EXTENDED_INFO extInfo = {};
    extInfo.dwSize = sizeof(extInfo);
    extInfo.pszHashAlg = szOID_NIST_sha256; // Use SHA256 instead of default SHA1

    CRYPT_KEY_PROV_INFO keyProvInfo = {};
    keyProvInfo.pwszContainerName = const_cast<wchar_t*>(containerName.c_str());
    keyProvInfo.pwszProvName = const_cast<wchar_t*>(ETOKEN_BASE_CRYPT_PROV_NAME.c_str());
    keyProvInfo.dwProvType = PROV_RSA_FULL;

    CRYPTUI_WIZ_DIGITAL_SIGN_CERT_PVK_INFO pvkInfo = {};
    pvkInfo.dwSize = sizeof(pvkInfo);
    pvkInfo.pwszSigningCertFileName = const_cast<wchar_t*>(certFile.c_str());
    pvkInfo.dwPvkChoice = CRYPTUI_WIZ_DIGITAL_SIGN_PVK_PROV;
    pvkInfo.pPvkProvInfo = &keyProvInfo;

    CRYPTUI_WIZ_DIGITAL_SIGN_INFO signInfo = {};
    signInfo.dwSize = sizeof(signInfo);
    signInfo.dwSubjectChoice = CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE;
    signInfo.pwszFileName = fileToSign.c_str();
    signInfo.dwSigningCertChoice = CRYPTUI_WIZ_DIGITAL_SIGN_PVK;
    signInfo.pSigningCertPvkInfo = &pvkInfo;
    signInfo.pwszTimestampURL = timestampUrl.c_str();
    signInfo.pSignExtInfo = &extInfo;

    if (!::CryptUIWizDigitalSign(CRYPTUI_WIZ_NO_UI, NULL, NULL, &signInfo, NULL))
    {
        std::wcerr << L"CryptUIWizDigitalSign failed, error " << std::hex << std::showbase << ::GetLastError() << L"\n";
        return 1;
    }

    std::wcout << L"Successfully signed " << fileToSign << L"\n";
    return 0;
}

The certificate is a CER file (public portion only) exported from the token and the container name is taken from the token's info. As I mentioned, this works correctly for EXE files.

The signtool command

signtool sign /sha1 "cert thumbprint" /fd SHA256 /n "subject name" /t "http://timestamp.verisign.com/scripts/timestamp.dll" /debug "$path"

This also works, when I call it either manually or from the CI build when the token is unlocked. But the code above fails with the mentioned error.

EDIT 2

Thanks to all of you, I now have a working implementation! I ended up using the SignerSignEx2 API, as suggested by RbMm. This seems to work fine for both appx bundles and PE files (different parameters for each). Verified on Windows 10 with a TFS 2017 build agent - unlocks the token, finds a specified certificate in the cert store, and signs+timestamps the specified file.

I published the result on GitHub, if anyone is interested: https://github.com/mareklinka/SafeNetTokenSigner

Can you add both the code that fails, as well as the *signtool.exe* command line you are using? — IInspectable, Feb 15 '18 at 10:12
Can you check your event logs and see if you can find any suggestion regarding your error:"The SIP_SUBJECTINFO structure used to sign the package didn't contain the required data.". For troubleshooting we can see [here](https://msdn.microsoft.com/en-us/library/windows/desktop/jj835835(v=vs.85).aspx) — Barry Wang, Feb 16 '18 at 05:44
I checked the logs at `Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational` but there is only this information-level record added when I hit the API: `The bundle reader was created successfully without manifest validation.` — mlinka, Feb 16 '18 at 07:16
I should probably add that the appxbundle I'm trying to sign is being signed with a self-signed cert when being built by the CI server - this self-signed cert is installed on the build machine, but not as a trusted root. So there already is a signature present when I invoke the API calls - I want to replace it with a globally trusted cert. — mlinka, Feb 16 '18 at 07:33
are you try this code - [How to programmatically sign an app package](https://msdn.microsoft.com/en-us/library/windows/desktop/jj835834(v=vs.85).aspx) ? — RbMm, Feb 21 '18 at 01:26
I haven't seen that article. I will definitely check it out and see if I can figure it out - I'm not too well-versed in C++/Win32 APIs but I'll give it a shot. Thanks! — mlinka, Feb 21 '18 at 07:30
all task in `PVOID pSipData` parameter of `SignerSignEx2` or [`SignerSignEx`](https://msdn.microsoft.com/en-us/library/windows/desktop/aa387734(v=vs.85).aspx) - this is can be 0 when we sign pe file (exe,dll,sys). but in case `appxbundle` it mandatory and must point to `APPX_SIP_CLIENT_DATA` otherwise we got `APPX_E_INVALID_SIP_CLIENT_DATA`. — RbMm, Feb 21 '18 at 07:56

score 7 · Accepted Answer · answered Feb 21 '18 at 11:53

first of all i look where CryptUIWizDigitalSign failed:

the CryptUIWizDigitalSign called SignerSignEx function, with pSipData == 0. for sign PE file (exe, dll, sys) - this is ok and will be work. but for appxbundle (zip archive file type) this parameter mandatory and must point to APPX_SIP_CLIENT_DATA: for appxbundle call stack is

CryptUIWizDigitalSign 
SignerSignEx
HRESULT Appx::Packaging::AppxSipClientData::Initialize(SIP_SUBJECTINFO* subjectInfo)

at very begin of Appx::Packaging::AppxSipClientData::Initialize we can view next code:

if (!subjectInfo->pClientData) return APPX_E_INVALID_SIP_CLIENT_DATA;

this is exactly where your code fail.

instead of CryptUIWizDigitalSign need direct call SignerSignEx2 and pSipData is mandatory parameter in this case.

in msdn exist full worked example - How to programmatically sign an app package (C++)

the key point here:

APPX_SIP_CLIENT_DATA sipClientData = {};
sipClientData.pSignerParams = &signerParams;
signerParams.pSipData = &sipClientData;

the modern SignTool call SignerSignEx2 direct:

here again clear visible:

if (!subjectInfo->pClientData) return APPX_E_INVALID_SIP_CLIENT_DATA;

after this called

    HRESULT Appx::Packaging::Packaging::SignFile(
                 PCWSTR FileName, APPX_SIP_CLIENT_DATA* sipClientData)

here at begin next code:

if (!sipClientData->pSignerParams) return APPX_E_INVALID_SIP_CLIENT_DATA;

this clear stated in msdn:

You must provide a pointer to an APPX_SIP_CLIENT_DATA structure as the pSipData parameter when you sign an app package. You must populate the pSignerParams member of APPX_SIP_CLIENT_DATA with the same parameters that you use to sign the app package. To do this, define your desired parameters on the SIGNER_SIGN_EX2_PARAMS structure, assign the address of this structure to pSignerParams, and then directly reference the structure's members as well when you call SignerSignEx2.

question - why need again provide the same parameters, which used in call SignerSignEx2 ? because appxbundle is really archive, which containing multiple files. and every file need be sign. for this Appx::Packaging::Packaging::SignFile recursive call SignerSignEx2 again :

for this recursive calls pSignerParams and used - for call SignerSignEx2 with exactly the same parameters as top call

Thanks for this detailed analysis. I will be attempting to implement this over the coming weekend and get back to you. — mlinka, Feb 22 '18 at 04:39
Update: I managed to implement a signing app that can sign both a standard PE executable and appx bundles AND will log onto the security token automatically. We can finally automate our release builds properly. Thanks again for the detailed analysis. — mlinka, Feb 23 '18 at 14:43
@mlinka - in case `PE` we can use `SignerSignEx` with `pSipData == 0`. but for appx need use only `SignerSignEx2` with `pSipData` point to `APPX_SIP_CLIENT_DATA`. also for PE(driver) we sometime need use `SPC_INC_PE_PAGE_HASHES_FLAG` flag ([/ph option with SignTool](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx). for appx always used `SPC_EXC_PE_PAGE_HASHES_FLAG`. — RbMm, Feb 23 '18 at 15:04
It seems `SignerSignEx2` is just fine with PE files as well, I just skip the SIP data (like `SignerSignEx`). Hopefully, we will not need to sign driver code anytime soon, but it might help someone else. Cheers! — mlinka, Feb 23 '18 at 18:46
@mlinka was the next call chain `SignerSign` -> `SignerSignEx` -> `SignerSignEx2` -> `SignerSignEx3` - so every api call extended version with additional arguments set to 0 . of course `SignerSignEx2` will be work to PE too. I initial wrote code used ``SignerSignEx` to auto sign own drivers exactly :) — RbMm, Feb 23 '18 at 20:00

Signing an appxbundle using CryptUIWizDigitalSign API

1 Answers1