I was trying to sign an .appx package that I created with the Desktop App Converter. However signtool returned the following error: Sign returned error: 0x800700C1
For more information, please see http://aka.ms/badexeformat

image

Sadly signtool doesn’t return more detailed information, even when passing the debug switch:

image

So what’s going on?

Signing an .appx package requires that all executables (.exe and .dll) inside the package are either unsigned or have a valid signature.

In my case it turned out that one of the binaries that comes with Notepad++ has a corrupted signature.

I found this by checking all the files and then noticed that the only file that appeared to be unsigned was uninstall.exe.

After I deleted that file (after all we don’t need an uinstaller with UWP), signtool happily signed the .appx package.

However what if you have a file that is actually needed?

I opened the uninstall.exe file in CFF Explorer and noticed that the Security Directory had an invalid address:

image

Signtool.exe has an option to remove signing information from a file so I tested that but unfortunately signtool doesn’t know how to handle a corrupted signature:

ignTool Error: CryptSIPRemoveSignedDataMsg returned error: 0x00000057

However with CFF Explorer it’s an easy task to simply remove the Security Directory:

image

Now we can sign the .appx package without removing files.

However it is still a tedious task to find out which file(s) are invalid so I wrote a PowerShell script that not only detects invalid or corrupted signatures but can also fix them.

I will document and publish this script in a followup blog.