.png){kind=logo}
Appx CMS Signer
ENTERPRISE
The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.AppxCMSSigner.
Overview
The Appx CMS signer is a special-purpose version of the extended CMS signer, allowing the production of CMS signatures for Microsoft Appx packages and bundles. This is intended for use with client-side hashing, where a client does the hashing of the original file and requests this hash to be signed by SignServer, producing a signature which is then inserted into the resulting output file by the client.
This signer has all the properties of the Extended CMS Signer and includes the Appx-specific properties of the Appx Signer. Note however that the Appx CMS signer does not support specifying the content OID (using the CONTENTOID property) or overriding the content OID to use (by enabling the ALLOW_CONTENTOID_OVERRIDE property) since the content OID is set according to the Authenticode specification. The AppX CMS signer supports signing of AppX bundles like the AppX Signer.
The signdocument command can be used with client-side hashing and construction to sign an Appx package by hashing on the client-side, signing the hash server-side using this signer, and finally assembling the final signed binary or installer on the client-side. For more information, see Client-Side Hashing. When using the signclient signdocument command to sign an Appx file or bundle pass the entire file (not a pre computed hash) to signclient.
The Appx CMS signer only supports RFC#3161 timestamps.
Available Properties
Property | Default | Description |
|---|---|---|
ALLOW_PROGRAM_NAME_OVERRIDE | False | (Optional) Specifies if the requestor can override the program name by supplying it as a request metadata property. |
ALLOW_PROGRAM_URL_OVERRIDE | False | (Optional) Specifies if the requestor can override the program URL by supplying it as a request metadata property. |
PROGRAM_NAME | None | (Optional) Program name to embed in the signature. |
PROGRAM_URL | None | (Optional) Program URL to embed in the signature. |
Request Properties
This worker can accept the following request metadata properties, given that they are configured to be allowed:
Field | Default | Description |
|---|---|---|
FILE_TYPE | PE | The file type for which the signature should be used in. Currently supported values are PE (for portable executables, such as Windows .exe and .dll files), or MSI (for Windows installers). This affects the layout of the content in the CMS structure. If not specified, PE is assumed. |
PROGRAM_NAME | None | Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without |
PROGRAM_URL | None | Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without |