Sign and timestamp MSIX together

python · zooba · Nov 3, 2020 · Nov 3, 2020 · Nov 3, 2020 · Nov 3, 2020
commit 83b4820e2d2f6b356379f5dd5522ee04612655f6
diff --git a/.azure-pipelines/windows-release/stage-pack-msix.yml b/.azure-pipelines/windows-release/stage-pack-msix.yml
@@ -120,25 +120,21 @@ jobs:
       artifactName: unsigned_msix
       downloadPath: $(Build.BinariesDirectory)
 
-  - powershell: |
-      signtool sign /a /n "$(SigningCertificate)" /fd sha256 /d "$(SigningDescription)" (gi *.msix)
-    displayName: 'Sign MSIX'
-    workingDirectory: $(Build.BinariesDirectory)\unsigned_msix
-
+  # MSIX must be signed and timestamped simultaneously
   - powershell: |
       $failed = $true
       foreach ($retry in 1..3) {
-          signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 (gi *.msix)
+          signtool sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "$(SigningDescription)" (gi *.msix)
           if ($?) {
               $failed = $false
               break
           }
           sleep 1
       }
       if ($failed) {
-          throw "Failed to timestamp MSIX"
+          throw "Failed to sign MSIX"
       }
-    displayName: 'Timestamp MSIX'
+    displayName: 'Sign MSIX'
     workingDirectory: $(Build.BinariesDirectory)\unsigned_msix
 
   - task: PublishBuildArtifacts@1