Ed Andersen

Software Developer and Architect in Japan

Missing StoreKey PFX certificates when building a Visual Studio 2019 UWP project

Ed Andersen Avatar

by

in ,

I came across an interesting issue updating my UWP app to Visual Studio 2019 and a new Azure DevOps pipeline. “Associate with Store” no longer adds password-less PFX files named *TemporaryKey.pfx and *StoreKey.pfx to your project to sign your store submissions – instead in VS2019 it now adds the certificates to your local user store only.

Which means when it comes to build, you get errors like

C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Microsoft\VisualStudio\v15.0\AppxPackage\Microsoft.AppXPackage.Targets(4353,5): Error APPX0102: A certificate with thumbprint '' that is specified in the project cannot be found in the certificate store. Please specify a valid thumbprint in the project file.
C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Microsoft\VisualStudio\v15.0\AppxPackage\Microsoft.AppXPackage.Targets(4353,5): Error APPX0107: The certificate specified is not valid for signing. For more information about valid certificates, see http://go.microsoft.com/fwlink/?LinkID=241478.

For comparison:

Above: Visual Studio 2017

Above: Visual Studio 2019 – notice the options to select from file and create test certificate are no longer.

To fix this for Azure Devops, you’ll need to install the PFX private key on every build. Follow these steps:

  • On the Choose Certificate window (shown above) choose View Full Certificate
  • On the second tab, choose “Copy to file…” to start the export to PFX process
  • Export the private key to a password protected PFX file
  • Add the PFX file to your project directory, like where it used to be in VS 2017
  • Update your .csproj file, adding a <PackageCertificateKeyFile> element containing the filename alongside <PackageCertificateThumbprint>
  • Add your PFX to source control making sure it is not ignored
  • In Azure Devops Pipelines, you’ll need a quick Powershell build step to add the certificate to the local user store:
  • Make sure that the WorkingDirectory option is set to the folder with the PFX file (alongside the .csproj) file.

That Powershell script in full:

$pfxpath = 'MySigningKey.pfx'
$password = 'supersecretpassword'

Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()

Now when your app is built, the private signing key will be loaded from the local machine store.

A note on security

The above is a quick and dirty way of getting this working – adding a PFX file to your source code repository is not best practice and you shouldn’t do this if you can help it. This is probably why Microsoft changed this behaviour in VS2019. An improvement on this could be to use the Secure Files feature of Azure DevOps to securely hold the PFX file until the build templates have a decent way of handing this scenario.

 

 

 

 

Ed Andersen Avatar

About me

Hi! 👋 I’m a Software Developer, Architect and Consultant living in Japan, building web and cloud apps. Here I write about software development and other things I find interesting. Read more about my background.

Ed’s “Newsletter”

Get the latest blog posts via email ✌️


Comments

4 responses to “Missing StoreKey PFX certificates when building a Visual Studio 2019 UWP project”

  1. João Santana Avatar
    João Santana

    Thank you for your workaround. Change this behaviour without notice was a mistake, IMAO, since build services like AppVeyor and Azure Pipelines needs the *.pfx file tô do its jobs flawlessly.

    As a side note, projects created with Windows Template Studio still create *.pfx files.

  2. Thanks a ton for writing this article, blogs like yours are a life saver!

  3. Thanks for taking the time to call this out and document it. My situation was slightly different but this is exactly what I needed. And this blog entry seems to be the single place on the internet that it’s documented!

  4. Thank you Ed Andersen. Can you help me with Storekey PFX for production. If I create a certificate from “Choose Certificate…” Microsoft is not accepting to upload bundle file to upload to the Microsoft Store.

    Getting error after bundle validation like “Publisher XXXXX not valid (expected CN=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)”.

Leave a Reply

Your email address will not be published. Required fields are marked *