--replace option not working for msix installer

[jasonvooo]

Thanks for releasing 6.0 with msix installer!

I am running into an issue with using the --replace option when using jsign to sign a msix package. I am under the impression that when using this flag it should replace the existing signature and replace it with the new signature however when running it results in an artefact that has no signature present.

[ebourg]

I'm not aware of an issue with the replacement of MSIX signatures. This case is covered by a unit test in APPXSignerTest.

If you change the extension of the signed file to .zip and open the archive, do you see an AppxSignature.p7x entry?

[jasonvooo]

When exporting as a zip I see the AppxSignature.p7x file but when opening the file through explorer properties you cannot see the digital signature.

Before and after running jsign with --replace

[ebourg]

Could you send the two files, before and after replacing the signature, to ebourg@apache.org please? I'd like to inspect them.

[ebourg]

I've been able to reproduce this behavior, the missing 'Digital Signatures' tab happens when the primary signature of the package is made with a certificate whose CN doesn't match the publisher name in the app manifest. signtool usually returns an error code 0x8007000B when verifying such files.

I'll modify Jsign to check the CN before signing MSIX packages.