Question posted in 
I’m getting this error when trying to use SignTool to sign my msix file.
I’ve verified I have Trusted Signing Certificate Profile Signer role assigned in Azure.
I also verified the publisher name of the AppxManifest.xml in the msix matches my certificate profile.
CN=Publisher Name, O=Organization Name, L=City, S=Province, C=CA
Following this procedure
https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations
& "C:temptestmicrosoft.windows.sdk.buildtools.10.0.22621.3233.nupkgbin10.0.22621.0x64signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:temptestmicrosoft.trusted.signing.client.1.0.53.nupkgbinx64Azure.CodeSigning.Dlib.dll" /dmdf "C:temptestmetadata.json" "C:temptestmy-app_1.0.128.0_x64.msix"
Trusted Signing
Version: 1.0.53
"Metadata": {
"Endpoint": "https://wus2.codesigning.azure.net",
"CodeSigningAccountName": "",
"CertificateProfileName": "",
"CorrelationId": "",
"ExcludeCredentials": []
}
Submitting digest for signing…
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)
Headers:
Date: Fri, 10 May 2024 21:09:50 GMT
Connection: keep-alive
Strict-Transport-Security: REDACTED
x-azure-ref: REDACTED
X-Cache: REDACTED
Content-Length: 0
at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
2
Answers
The issue was my authentication "InteractiveBrowserCredential" was not working for some reason. I had to disable all authentication options except Azure CLI and retry. https://learn.microsoft.com/en-us/cli/azure/install-azure-cli.
For 403s there can be a few things that can cause this, please check/verify the below:
• Check Trusted Signing role.
• Check Trusted Signing account name and Trusted Signing Certificate profile name n your metadata.json.
• Check dlib and dlib path
• Install C++ Redistributables: Download link: https://docs.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170
• Check .Net version, dlib version and Windows SDK
• Check if Trusted Signing role is assigned to the identity trying to sign the file.
• Check if the corresponding Identity Validation is in "Completed" state.
• Verify if you access to the Trusted Signing endpoint from the VM or machine you are trying to sign from?Try executing the action on a different VM or machine. It can be a potential network issue.