none
Problem of digital sign with RSA-SHA256 RRS feed

  • Question

  • I have a VSIX which is signed by cert with SHA2. This is required when uploading the vsix to the vs gallery. But when i install the VSIX, it reports an error

    The stack is

    System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
       at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
       at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
       at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)
       at MS.Internal.IO.Packaging.XmlDigitalSignatureProcessor.Verify(X509Certificate2 signer)
       at System.IO.Packaging.PackageDigitalSignature.Verify(X509Certificate signingCertificate)
       at System.IO.Packaging.PackageDigitalSignature.Verify()
       at Microsoft.VisualStudio.ExtensionManager.InstallableExtensionImpl.GetSignatureState(ZipPackage vsixPackage)
       at Microsoft.VisualStudio.ExtensionManager.InstallableExtensionImpl.get_SignatureState()
       at VSIXInstaller.App.LogExtensionDetails(IExtension extension)
       at VSIXInstaller.App.InitializeInstall(Boolean isRepairSupported)
       at VSIXInstaller.App.InitializeInstall()
       at System.Threading.Tasks.Task.InnerInvoke()
       at System.Threading.Tasks.Task.Execute()

    I took a look at the digital signature. seems that the signaturemethod is http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. Do you know how to solve this issue.?

    Wednesday, July 15, 2015 2:45 AM

All replies

  • We are experiencing problems with certificates for VSIX after installing VS2015 pre-RTM.

    Uploading signed VSIX to VS Gallery shows a warning message ~ obsolete algorithm.

    The same certificate and signed VSIX installs fine for machines with VS2013 and VS2015 RC. Double-click on VSIX or download/install from VS Gallery.

    On the machine with VS2015 pre-RTM installing the same signed VSIX through VS2013 Update 4, Tools menu, Extensions and Updates, download from VS Gallery works fine.

    Double-clicking the VSIX gives a message 'This extension contains an invalid certificate'.

    On the machine with VS2015 pre-RTM installing the same signed VSIX through VS2015 pre-RTM, Tools menu, Extensions and Updates, download from VS Gallery gives the message 'The digital signature algorithm used in this extension is obsolete'.

    We are 5 days away from VS2015 RTM and this is big problem. Users do not want to see 'Invalid certificate' for VS extensions, it sounds like they have been tampered with, opens up the possibility of malware and viruses.

    Dave


    Dave Baker | AIDE for LightSwitch | Xpert360 blog | twitter : @xpert360 | Xpert360 website | Opinions are my own. For better forums, remember to mark posts as helpful/answer.

    Wednesday, July 15, 2015 9:33 AM
  • Have you solved the issue or any work around for your product?
    Thursday, August 20, 2015 6:21 AM
  • Not solved yet. I have a related connect report open and have submitted evidence been waiting a few weeks for a response from Microsoft.

    Invalid certificate / obsolete algorithm

    Dave


    Dave Baker | AIDE for LightSwitch | Xpert360 blog | twitter : @xpert360 | Xpert360 website | Opinions are my own. For better forums, remember to mark posts as helpful/answer.

    Thursday, August 20, 2015 7:20 AM