Sign a BC app package file for Appsource issue

 

Recently, I attempted to test-sign an app package file using a PFX file. For this test, I used a self-signed certificate solely to evaluate the process. In this post, I want to focus specifically on the issue I encountered during the test.

Please see below link for more details:

https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-sign-extension

Option 1: Using BCContainerHelper

For this test, I created a BC Docker container named Bcv253 and an app called JobQueue.app to be signed.

First, I installed and imported the BCContainerHelper in PowerShell ISE.

#install and import BC Container helper

Install-Module -Name BCContainerHelper -Force -Scope CurrentUser

Import-Module BCContainerHelper

As the second step, I generated my own certificate for local testing using the script below:

# 1. Generate a self-signed certificate

$cert = New-SelfSignedCertificate –Type CodeSigningCert –Subject “CN=JobQTest” -CertStoreLocation "Cert:\LocalMachine\My" 

# 2. Export the certificate as a PFX file

$Password = ConvertTo-SecureString -String "P@ssw0rd" -Force -AsPlainText

Export-PfxCertificate -Cert $cert -FilePath "C:\Temp\certificate.pfx" -Password $Password

# 3. Export the certificate as a CER file

Export-Certificate -Cert $cert -FilePath "C:\Temp\certificate.cer"

The final step was to sign the app using the certificate generated earlier.

#using BC Container helper
$MyAppFile = "C:\temp\BC\JobQueue.app" #the app need to be in this location
$MyPfx = "C:\Temp\certificate.pfx"
$MyPassword = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
$MyContainerName = "bcv253"
Sign-BcContainerApp -appFile $MyAppFile -pfxFile $MyPfx -pfxPassword $MyPassword -containerName $MyContainerName

Initially, I encountered an error because I didn’t place the JobQueue.app file in the correct folder or path. Instead, I had mistakenly placed it in *C:\temp\BC\JobQueue.app*.

To resolve this issue, I moved the JobQueue.app file to the container's Extensions folder, as shown in the screenshot below, and it worked successfully.

$MyAppFile = "C:\ProgramData\BcContainerHelper\Extensions\bcv253\my\Appsource\JobQueue.app" #the app need to be in this location

Note: if you have error using Sign-BcContainerApp, it might worth run this script

Install-NAVSipCryptoProviderFromNavContainer -containerName bcv253

Test: 

I've tried to publish this app to BC docker before signing the app and getting below error;

After code-signing the app, I attempted to publish it again. However, this time I encountered an "untrusted provider" error, which was expected since I used a self-signed certificate.

Option 2: signing app directly(not using docker)

I used the script below and ran the SignTool in the Developer Command Prompt (Visual Studio), which is included as part of the Windows SDK. It's important to ensure that the Windows SDK is installed; otherwise, you'll encounter an error stating that "signtool is not recognized."

When I ran this script I got an error of "File format cannot be signed because it is not recognized".

signtool sign /f "C:\Temp\certificate.pfx" /p "P@ssw0rd" /t "http://timestamp.digicert.com" /fd sha256  "C:\temp\BC\JobQueue.app"

I discovered that others have faced a similar issue where the SignTool application throws this error. Some online articles suggest resolving this by installing at least one Dynamics BC version on the machine used for code signing. Following this advice, I installed BC v24 and reran the SignTool script, but I still encountered the same error. 

I also found that others facing a similar issue recommended installing a NAV version instead of a Dynamics BC version. Following this advice, I installed a NAV version, and it successfully resolved the issue, allowing me to sign my app without any problems.

Have you encountered a similar issue? If so, feel free to share your experience and suggestions in the comments below!