Extended Validation (EV) and the Windows Store

Update – 11/21/2016

There’s currently an issue with the Windows Dev Center registration page which causes the a properly signed XML file to fail on upload. I am working with the Microsoft team responsible for Windows Dev Center to get the issue resolved and will provide an update as soon as it’s fixed.

For now the MSFT team has asked that you work directly with MSFT Dev Center Support.  You can contact them at, Microsoft Support, and selecting either the “Chat now” or “Submit an incident” button.

The good, the bad, and the ugly.

Even if you’re an experienced Windows 8 developer with a plethora of apps in the store, chances are you haven’t heard of the extended validation option for your account.  And rightly so.  The use case is very specific.  It’s only available if you’re registered as a Company as opposed to an individual developer and only applicable to apps that need access to the documentsLibrary capability.  In fact, at the time of this post, I think I was one of the first to complete the process end-to-end.  It wasn’t a pleasant experience.  Definitely not something I would want when evangelizing Windows Store awesomeness.  I’m hoping this post can help others get through the good, the bad, and the ugly (not necessarily in that order) of the extended validation process.

Extended Validation:  What and why?

According to the Windows Store,

…apps that declare the documentsLibrary capability can only be submitted from developer accounts which can demonstrate they have acquired an Extended Validation (EV) code signing certificate from a certificate authority (CA).

I suppose an EV process makes sense when you read what the documentsLibrary capability does.  Effectively, it provides the app programmatic access to the user’s Documents, filtered by file types declared in the manifest.  The keyword being, “programmatic,” which is different than the standard UI file picker in that no user interface is involved.  This capability is somewhat outside the scope of the WinRT app sandbox which only lets the user decide which files it wants the app to interact with.  With the documentsLibrary capability, the app can interact with any file in the Documents folder as long as the file type is declared in the app’s manifest.

Extended Validation:  How?

Most apps don’t need programmatic access to the user’s Documents folder, but let’s suppose for sake of this blog your app does.  There are several steps to follow:

First, download the signable .xml file.  The link to download the file can be found by logging into your Windows Store account and clicking the “Account” link.  You’ll find the EV section just after the Publisher ID.

image

Second, purchase a code-signing certificate from Symantec or Digicert.  Both certificate authorities provide EV code-signing certificates which will work.  My personal experience is with Digicert but I expect Symantec would work the same.  Effectively, you purchase the certificate, fill out a form, and submit the form to your respective certificate authority.  The CA will then send a thumb drive to your company’s address with some instructions on how to use the drive to install the certificate.  Digicert has an image that describes this process:

So far the process seems pretty easy, right?  Download the .xml file, purchase the certificate, insert the thumb drive, and run the .exe on the thumb drive to sign the file.  If only it was that easy.  If you look on Symantec’s EV page under “Key Features”, take notice of the supported file types,

Digitally sign 32-bit and 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi, .xpi, and .xap files) and kernel-mode software

Okay but where’s .xml?

The Bad

I don’t want to go into a ton of details but traditional code-signing engines don’t sign .xml file types.  They are typically used to sign installers or libraries like the file types above.  In fact, if you tried to sign the .xml file with a typical code-signing tool, you’d get an error…  Not cool.

I spent several hours going back and forth with the Windows Store team and Digicert explaining the problem.  Digicert’s support was completely baffled as to why I would want to sign an .xml file so they weren’t much help.  Microsoft support was better but it required my traversing the org tree to find the team responsible for the EV section of the Store.  Not as easy as you’d think with 90,000+ employees.

The Ugly

Working with Microsoft’s EV team was awesome.  I was able to chat directly with a developer – finally someone with answers – and he was able to write a console program which signs .xml files.  I ran the program, configured the parameters and what do you know?  It worked!  Hurray!  I can now publish my app to the store.

NOTE:  the code signing certificate produced by the CA must be generated using SHA2, not SHA1 and the certificate must exist in the user’s certificate store before running the .exe.

The Good…?

Even though developing a custom C# project to sign .xml files isn’t an ideal solution it’s better than nothing so I’m calling this one “good.”  I’m also calling it good because I’ve received permission from Microsoft and the team who developed the project to host it on CodePlex.  You’re welcome.  Feel free to download the entire project or just the .exe to sign .xml files for as part of your extended validation status.  The tool is available at, https://codesignforxml.codeplex.com/.

Hope it helps,

Justin

Advertisements

44 thoughts on “Extended Validation (EV) and the Windows Store

  1. What commandline did you use?
    Trying to achieve the same thing but all I have is a token with an EV cert stored on it, I have no way of getting the pfx file off of it that I know of.

  2. Can you give an example of the actual parameters for both PFX and token methods?

    I found this off of the tool, but an example would be best so I can configure what is actually meant:

    Pfx Usage: SignXml.exe PFX {signMethod} {cert.pfx} {publicCert.cer} {signable xml} {signMethod}: SHA1 | SHA256 | SHA384 | SHA512

    Token Usage: SignXml.exe TOKEN {signMethod} {publicCert.cer} {signable xml} {signMethod}: SHA1 | SHA256 | SHA384 | SHA512

  3. Where can I get the token? Is it the eToken that I received from Symantec? If so how do I use it? Should I generate key with Symantec’s Certificate Key Provisioning and use that key as a token? I am stuck with the token usage and could you provide the correct usage? Many thanks.

    1. I don’t have personal experience with Symantec so I can’t comment on what they give you. The signing tool accepts either a .pfx file or a .cer file. Did you receive either one of those from Symantec?

      1. They sent us a SafeNet usb device which is a token, EV Code Signing Certificate can be signed onto that token with the installation instructions: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=SO20518. After the installation of the certificate, I could export it to a .cer file. But when I used it with Token Usage, the SignXml tool crashed with System.NotSupportedException error. My Token Usage is SignXml.exe TOKEN {SHA256} {D:\publicCert.cer} {D:\SignableXmlFor1829580993054788.xml}. So I thought the tool might need a token with .cer file for signing xml file, but I am not sure if I am correct?

  4. I’ve seen errors when the certificate was generated incorrectly. Can you verify the certificate was created using SHA2?

    If you run “makecert.exe” to create a certificate, the “-a” option must be specified in order to choose SHA2 algorithm.

    Also note – An acceptable signed xml for EV validation MUST meet following two criteria:
    1) The certificate must be created using SHA2 signature algorithm
    2) The xml must be signed with SHA2 algorithm.

  5. Hello, I’m not a techie – I’m just a lowly project manager trying to set up a Windows Phone developer account for the developers. I’m facing issues signing the file using EV. I tried the .exe file but all it does is download, give me a flash of a black screen, and then disappear. I still get gibberish when trying to access the file for signature.

    Any help would be great 🙂

    1. This tool isn’t used for creating Windows Phone developer accounts. It really only applies to a very specific problem with the Windows 8 store. Can you give me more details of what you’re trying to do?

      1. Hi Justin. There are a few types of Digital Signature for XML. One wraps the entire body in the Signature nodes, the other adds a signature onto the end. I was wondering which technique your tool used. Thanks! Ken

      2. Ah. OK. Thanks. It actually crashes when I try to run it but before I spent time trying to fix that I figured I’d find out if it did what I wanted anyway.

      3. I’ve seen errors when the certificate was generated incorrectly. Can you verify the certificate was created using SHA2?

        If you run “makecert.exe” to create a certificate, the “-a” option must be specified in order to choose SHA2 algorithm.

        Also note – An acceptable signed xml for EV validation MUST meet following two criteria:
        1) The certificate must be created using SHA2 signature algorithm
        2) The xml must be signed with SHA2 algorithm.

  6. Apparently the syntax should be:
    SignXML.exe TOKEN SHA256 certfile.cer XmlToSign.xml SHA256
    But even then, the Windows Hardware Dashboard fails to accept the signed file, saying that it is wrong, corrupt, etc. What gives with that? With whom do I talk to resolve the problem?

    1. I’ve seen errors when the certificate was generated incorrectly. Can you verify the certificate was created using SHA2?

      If you run “makecert.exe” to create a certificate, the “-a” option must be specified in order to choose SHA2 algorithm.

      Also note – An acceptable signed xml for EV validation MUST meet following two criteria:
      1) The certificate must be created using SHA2 signature algorithm
      2) The xml must be signed with SHA2 algorithm.

      1. Apparently, you don’t understand the problem at all. Sorry for bothering you and getting the only reply that you have, rather than an informative one. I told you in my message how to avoid the exception being thrown. Then it becomes a matter of what Microsoft will accept, which is apparently beyond your knowledge. ‘makecert’ my foot! I’ve got a dongle, not a pvk, etc file. And I use a tool like DigiCertUtil to export a .cer file from the hardware token that I have. It turns out that your tool isn’t what I needed at all, as I’m trying to sign drivers, not Windows Store submissions. And DigiCertUtil could sign the winqual.exe file just fine.

      2. Now I understand. You are asking me a question completely unrelated to the tool that I’ve developed and you’re put out because it doesn’t work in your case and somehow that’s my fault. Too bad… I would have been happy to connect you to the right person inside Microsoft.

  7. Hi Justin. Thank you for the tool! However, it seems that Microsoft new Hardware Dev Center dashboard doesn’t accept the signed xml with this tool. I use a token certificate from digicert. And I followed the instructions from the following link. Unfortunately the signed xml cannot be accepted. I’d appreciate it if you have any ideas. I’m sure that I use SHA2 algorithm and SHA2 certificate.
    https://www.digicert.com/code-signing/code-signing-ev-verification-xml-file.htm

    1. Hey Roy,

      The link you provided is for signing an XML file for Windows Store apps. You’re referencing the Microsoft new Hardware Dev Center, which I’m not familiar with. Would you mind sending me a link to the MSFT Dev Center so I can do some research?

    2. Hello Roy and Justin.

      Justin, thank you for providing the tool. However, I’m having the exact same issue as Roy. Roy, have you already solved this issue?

      Thanks for any help.

  8. The new Dashboard is a nightmare. The XML is signed successfully, however when you upload it you get the following error message:
    “There is a problem with the file you uploaded
    The signed file you uploaded is not the same file that you downloaded. Please ensure the file you sign and upload is the signable file you downloaded.”
    I also tried to use “XML Signer” from http://www.signfiles.com – same error.
    Any hints would be greatly appreciated.

      1. We ran into the same problem when uploading our signed file with the same error message “The signed file you uploaded is not the same file that you downloaded. Please ensure the file you sign and upload is the signable file you downloaded.” We poked around but couldn’t find any useful info. Dead stop!

  9. Hi Justin, Any update on the current issue? Is there a connect or other case number we can use when opening our own ticket? Stuck – can’t sign any drivers (the HLK portal now sends driver submissions to the new dashboard)…

  10. I too have come across the described issue. Thank you for taking it on. Do you have any estimate, how long it will take to resolve the issue? Frankly, I think the whole Dev Center is a nightmare — I’ve been jumping through hoops for weeks just getting to a point where I can have a driver signed.

  11. For the hardware/driver folks here – I was told last week that the dashboard team would be deploying a fix for this by the end of last week. And it does appear they have made changes (the signable file is now an .exe instead of .xml, and they advise you to use the standard SDK signtool.exe again now).

    Sadly, the “The file you uploaded is not the one you downloaded” error is still there. So, still stuck. I asked for my support case to be escalated. Will update here as I learn more.

  12. Hi, Mike, thanks for the info. I’ve received an e-mail from the Microsoft support, telling me that the problem was solved, but I still get the same message, now with the .exe file and using signtool.

    1. Luiz,

      Same here. Don’t know what’s going on. They really don’t care. This has been going on for weeks, with my support rep unable to escalate and only suggesting I “try different browsers” (which I have. All of them. Edge, IE, FF, Chrome, etc).

  13. Hi Mike, thanks for the info. It seems that this problem has been resolved now. I signed the .exe file with SHA256 certificate and passed the verification. Though I failed with an unexpected error after I created Azure AD account, it’s another problem.

    1. Roy,

      Yes, the initial signing (“different file uploaded”) problem seems to be fixed. However, when submitting driver packages, the new dashboard can’t detect the signature embedded in the package (even though the thumbprint matches and the certificate is clearly included inside the package binary). I’m wondering how anyone is getting anything signed, since this has been broken for over a month.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s