microsoft · Trenly · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
@@ -138,6 +138,7 @@ devhome
 DFX
 DHAVE
 dic
+digicert
 diskfull
 DISPLAYCATALOG
 DMC

@@ -38,4 +38,5 @@ The PowerShell module now automatically uses `GH_TOKEN` or `GITHUB_TOKEN` enviro
 
 ## Bug Fixes
 
-<!-- Nothing yet! -->
+* `SignFile` in `WinGetSourceCreator` now supports an optional RFC 3161 timestamp server via the new `TimestampServer` property on the `Signature` model. When set, `signtool.exe` is called with `/tr <url> /td sha256`, embedding a countersignature timestamp so that signed packages remain valid after the signing certificate expires.
+* File and directory paths passed to `signtool.exe` and `makeappx.exe` are now quoted, fixing failures when paths contain spaces.
@@ -36,12 +36,16 @@ public static void SignFile(string fileToSign, Signature signature)
 
             string pathToSDK = SDKDetector.Instance.LatestSDKBinPath;
             string signtoolExecutable = Path.Combine(pathToSDK, "signtool.exe");
-            string command = $"sign /a /fd sha256 /f {signature.CertFile} ";
+            string command = $"sign /a /fd sha256 /f \"{signature.CertFile}\" ";
             if (!string.IsNullOrEmpty(signature.Password))
             {
                 command += $"/p {signature.Password} ";
             }
-            command += fileToSign;
+            if (!string.IsNullOrEmpty(signature.TimestampServer))
+            {
+                command += $"/tr {signature.TimestampServer} /td sha256 ";
+            }
+            command += $"\"{fileToSign}\"";
             RunCommand(signtoolExecutable, command);
         }
 
@@ -81,7 +85,7 @@ public static void Unpack(string package, string outDir)
 
             string pathToSDK = SDKDetector.Instance.LatestSDKBinPath;
             string makeappxExecutable = Path.Combine(pathToSDK, "makeappx.exe");
-            string args = $"unpack /nv /p {package} /d {outDir}";
+            string args = $"unpack /nv /p \"{package}\" /d \"{outDir}\"";
             Process p = new Process
             {
                 StartInfo = new ProcessStartInfo(makeappxExecutable, args)
@@ -99,7 +103,7 @@ public static void PackWithMappingFile(string outputPackage, string mappingFile)
 
             string pathToSDK = SDKDetector.Instance.LatestSDKBinPath;
             string makeappxExecutable = Path.Combine(pathToSDK, "makeappx.exe");
-            string args = $"pack /o /nv /f {mappingFile} /p {outputPackage}";
+            string args = $"pack /o /nv /f \"{mappingFile}\" /p \"{outputPackage}\"";
             RunCommand(makeappxExecutable, args);
         }
 
@@ -117,7 +121,7 @@ public static void Pack(string outputPackage, string directoryToPack)
 
             string pathToSDK = SDKDetector.Instance.LatestSDKBinPath;
             string makeappxExecutable = Path.Combine(pathToSDK, "makeappx.exe");
-            string args = $"pack /o /d {directoryToPack} /p {outputPackage}";
+            string args = $"pack /o /d \"{directoryToPack}\" /p \"{outputPackage}\"";
             RunCommand(makeappxExecutable, args);
         }
 

@@ -13,6 +13,11 @@ public class Signature
         // The publisher for the AppxPackage Identity Name property.
         public string? Publisher { get; set; }
 
+        // RFC 3161 timestamp server URL (e.g. http://timestamp.digicert.com).
+        // When set, a countersignature timestamp is added so the signature remains
+        // valid after the signing certificate expires.
+        public string? TimestampServer { get; set; }
+
         internal void Validate()
         {
             if (string.IsNullOrEmpty(this.CertFile))
-Original file line number
+Diff line change
@@ Expand Up / @@ -138,6 +138,7 @@ devhome @@
     DFX
     DHAVE
     dic
+    digicert
     diskfull
     DISPLAYCATALOG
     DMC
@@ Expand Down @@