.png){kind=logo}
Appx Signer
ENTERPRISE
The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.AppxSigner.
Overview
The Appx signer signs Microsoft APPX packages and bundles.
The signature can optionally include a timestamp response from a TSA using the RFC#3161, or legacy Authenticode format.
The Publisher DN set in AppxManifest.xml (or AppxBundleManifest.xml) must match the Subject DN of the signing certificate. The Publisher DN order should also match the order set in the certificate (LDAP DN Order or X509 DN Order).
Available Properties
Property | Default | Description |
|---|---|---|
ALLOW_PROGRAM_NAME_OVERRIDE | False | (Optional) Specifies if the requestor can override the program name by supplying it as a request metadata property. |
ALLOW_PROGRAM_URL_OVERRIDE | False | (Optional) Specifies if the requestor can override the program URL by supplying it as a request metadata property. |
DIGESTALGORITHM | SHA256 | (Optional) Algorithm for the digest of the binary. |
DO_LOGRESPONSE_DIGEST | True | (Optional) Specifies if a digest of the response should be computed and logged. |
DO_LOGREQUEST_DIGEST | False | (Optional) Specifies if a digest of the request should be computed and logged. |
LOGRESPONSE_DIGESTALGORITHM | SHA256 | Specifies the algorithm used to create the message digest (hash) of the response document to put in the log. |
LOGREQUEST_DIGESTALGORITHM | SHA256 | Specifies the algorithm used to create the message digest (hash) of the request document to put in the log. |
PROGRAM_NAME | None | (Optional) Program name to embed in the signature. |
PROGRAM_URL | None | (Optional) Program URL to embed in the signature. |
SIGNATUREALGORITHM | Depends on the signing key | (Optional) Signature algorithm. The default depends on the signing key:
|
TIMESTAMP_FORMAT | RFC3161 | Specifies the timestamp format to use. Allowed values:
If the value AUTHENTICODE is set, a legacy Authenticode timestamp signer is assumed, rather than a standard RFC3161-compliant one. In order to use this property, you must specify a TSA source, using |
TSA_PASSWORD | None | Login password used if the TSA uses HTTP Basic Auth. Required if In order to use this property, you must specify a TSA source, using |
TSA_URL | None | (Optional) URL of external (Authenticode or RFC#3161) timestamp authority. This property cannot be combined with |
TSA_USERNAME | None | (Optional) Login username used if the TSA uses HTTP Basic Auth. In order to use this property, you must specify a TSA source, using |
TSA_WORKER | None | (Optional) Worker ID or name of internal (Authenticode or RFC#3161) timestamp signer in the same SignServer. This property cannot be combined with |
Request Properties
This worker can accept the following request metadata properties, given that they are configured to be allowed:
Property | Description |
|---|---|
PROGRAM_NAME | Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without |
PROGRAM_URL | Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without |
Worker Log Fields
Field | Description |
|---|---|
REQUEST_DIGEST | A message digest (hash) for the request document in hex encoding. |
REQUEST_DIGEST_ALGORITHM | The name of the message digest (hash) algorithm used for the request digest in the log. |
RESPONSE_DIGEST | A message digest (hash) for the response document in hex encoding. |
RESPONSE_DIGEST_ALGORITHM | The name of the message digest (hash) algorithm used for the response digest in the log. |