WingetSourceCreator cannot sign package when spaces are in cert path

Question

WingetSourceCreator cannot sign package when spaces are in cert path

Opened this issue 9 days ago · 2 comments

JohnnyElvis commented 9 days ago

Relevant area(s)

WinGet CLI

Relevant command(s)

No response

Brief description of your issue

WingetSourceCreator cannot handle spaces in certificate path. Root cause is within the method SignFile in WingetSourceCreator\Helpers.cs

You need to change this:

string command = $"sign /a /fd sha256 /f {signature.CertFile} ";

to this:

string command = $"sign /a /fd sha256 /f \"{signature.CertFile}\" ";

You can implement #4948 while you are on it.

Steps to reproduce

Build solution. You might want to apply fix from #4181 so you can actually work with the IndexCreationTool.

Run the IndexCreationTool with Signature.CertFile path having an empty space somewhere in between.

When using path e.g "D:/Jenkins/WrkDir/workspace/Winget Builder/Build Winget Package/signing_cert.pfx" you will be greeted with "SignTool Error: File not found: D:/Jenkins/WrkDir/workspace/Winget"

Expected behavior

Being able to deal with empty spaces in a path

Actual behavior

When using path e.g "D:/Jenkins/WrkDir/workspace/Winget Builder/Build Winget Package/signing_cert.pfx" you will be greeted with "SignTool Error: File not found: D:/Jenkins/WrkDir/workspace/Winget"

Environment

N/A

Answer 1 · 2025-10-30T17:31:10.000Z

@JohnnyElvis I don't fully understand your scenario, but if you wanted to make a PR and reference this issue, I can have the engineering team review it.

Answer 2 · 2025-11-03T12:45:43.000Z

Hi @denelon, the issue here are the missing quotes when calling signtool.exe. It is not related to any specific scenario.

Current implementation:
signtool.exe /a /fd sha256 /f C:\path with spaces\cert.pfm results in signtool not being able to find "C:\path" instead of the full path "C:\path with spaces\cert.pfm"

Working implementation:
signtool.exe /a /fd sha256 /f "C:\path with spaces\cert.pfm" results in in signtoola ctually finding the full path.

If possible I'd like to submit the fixes since it is unpleasant maintaining a fork. Please share with me instructions on how to this properly.

To explain referenced issues:
Index Creation Tool (and likely LocalhostWebServer) do not work without applying #4181. Current implementation fails to populate working directory with manifest files.

#4948 is a nice to have when building sources.msix which need to remain valid even after signing cert itself expired