Skip to main content
Skip table of contents

Appx Signer

ENTERPRISE

The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.AppxSigner.

Overview

The Appx signer signs Microsoft APPX packages and bundles.

The signature can optionally include a timestamp response from a TSA using the RFC#3161, or legacy Authenticode format.

The Publisher DN set in AppxManifest.xml (or AppxBundleManifest.xml) must match the Subject DN of the signing certificate. The Publisher DN order should also match the order set in the certificate (LDAP DN Order or X509 DN Order).

Available Properties

PropertyDescription
PROGRAM_NAMEProgram name to embed in the signature. Optional, default: none.
ALLOW_PROGRAM_NAME_OVERRIDE If the requestor should be able to override the program name by supplying it as a request metadata property. Optional, default: false.
PROGRAM_URL Program URL to embed in the signature. Optional, default: none.
ALLOW_PROGRAM_URL_OVERRIDEIf the requestor should be able to override the program URL by supplying it as a request metadata property. Optional, default: false.
SIGNATUREALGORITHM Signature algorithm. Optional, default: depending on the signing key, SHA256withRSA, SHA256withDSA or SHA256withECDSA.
DIGESTALGORITHM Algorithm for the digest of the binary. Optional, default: SHA256.
TSA_WORKER Worker ID or name of internal (Authenticode or RFC#3161) timestamp signer in the same SignServer. Optional, default: none. This property cannot be combined with TSA_URL.
TSA_URL URL of external (Authenticode or RFC#3161) timestamp authority. Optional, default: none. This property cannot be combined with TSA_WORKER.
TSA_USERNAME Login username used if the TSA uses HTTP Basic Auth. Optional, default: none.
TSA_PASSWORD Login password used if the TSA uses HTTP Basic Auth. Required if TSA_USERNAME is specified, default: none.
DO_LOGREQUEST_DIGEST If a digest of the request should be computed and logged. Optional, default: true.
LOGREQUEST_DIGESTALGORITHM Algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.
DO_LOGRESPONSE_DIGEST If a digest of the response should be computed and logged. Optional, default: true.
LOGRESPONSE_DIGESTALGORITHM Algorithm used to create the message digest (hash) of the response document to put in the log. Default: SHA256.
TIMESTAMP_FORMAT 

Specifies the timestamp format to use. Default: RFC3161. Allowed values: RFC3161, AUTHENTICODE. If the value AUTHENTICODE is set, a legacy Authenticode timestamp signer is assumed, rather than a standard RFC3161-compliant one.

Request Properties

This worker can accept the following request metadata properties, given that they are configured to be allowed:

PropertyDescription
PROGRAM_NAME Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without ALLOW_PROGRAM_NAME_OVERRIDE configured in the worker request, including this request property will not be allowed.
PROGRAM_URL Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without ALLOW_PROGRAM_URL_OVERRIDE configured in the worker request, including this request property will not be allowed.

Worker Log Fields

FieldDescription
REQUEST_DIGEST A message digest (hash) for the request document in hex encoding.
REQUEST_DIGEST_ALGORITHMThe name of the message digest (hash) algorithm used for the request digest in the log.
RESPONSE_DIGESTA message digest (hash) for the response document in hex encoding.
RESPONSE_DIGEST_ALGORITHMThe name of the message digest (hash) algorithm used for the response digest in the log.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.