none
vsixsigntool does not find my key

    Question

  • Hi

    I'm trying to use the vsixsigntool as described on https://msdn.microsoft.com/en-us/library/dd997171.aspx and obtained from https://www.nuget.org/packages/Microsoft.VSSDK.Vsixsigntool to sign a vsix file with our newly obtained GlobalSign Code Signing certificate.

    The command line I used, formatted for readbility and confidentiality only:

    vsixsigntool.exe sign
        /sha1 883ee6280e8a38e552e0ce4e23e94daf41bd488b
        /f "Certificate.p7b"
        /csp "eToken Base Cryptographic Provider"
        /k "te-d484afea-8367-4cb7-b984-4d351257333d"
        /tr http://rfc3161timestamp.globalsign.com/advanced
        /td SHA256
        /v
        "Extension.vsix"

    The "Certificate.p7b" file was created by exporting the certificate (without the private key, as that is not exportable).

    The tool output was:

    The following certificate was selected:
            Issued to  : MY COMPANY
            Issued by  : GlobalSign CodeSigning CA - SHA256 - G3
            From       : Wed Mar 15 12:21:59 2017
            Expiry     : Sun Mar 15 12:21:59 2020
            Sign Method: RSA/SHA256
            SHA1 hash  : 88 3e e6 28 0e 8a 38 e5  52 e0 ce 4e 23 e9 4d af
    41 bd 48 8b

    VsixSignTool Error: Could not sign package "Extension.vsix": Error Code - 8009000d.
    Error Message: "Key does not exist.".
    Number of files successfully Signed: 0
    Number of errors: 1

    Based on this Interactive C# script session, it looks like the certificate is correctly installed:

    > using System.Security.Cryptography;
    > using System.Security.Cryptography.X509Certificates;
    > var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    > store.Open(OpenFlags.ReadOnly);
    > var cert = store.Certificates[1];
    > cert.Issuer
    "CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE"
    > cert.Thumbprint
    "883EE6280E8A38E552E0CE4E23E94DAF41BD488B"
    > cert.HasPrivateKey
    true
    > var key = cert.PrivateKey as RSACryptoServiceProvider ;
    > key.CspKeyContainerInfo.Exportable
    false
    > key.CspKeyContainerInfo.KeyContainerName
    "te-d484afea-8367-4cb7-b984-4d351257333d"
    > key.CspKeyContainerInfo.ProviderName
    "eToken Base Cryptographic Provider"

    Any idea why the tool cannot find the key?

    Thanks,

    Kris Vandermotten

    Saturday, March 18, 2017 10:36 AM

Answers

All replies

  • Further testing has shown that it is indeed the vsixsigntool that has a problem, not the certificate (or its private key).

    I tried signing myself with a simple C# program running on .NET 4.6.2, based on some old code I found at http://www.jeff.wilcox.name/2010/03/vsixcodesigning/, see below. However, the vsix installer reports that the signature is not valid.

    vsixsigntool.exe /verify reports:

    Verifying: "MyExtension.vsix"

     

    VsixSignTool Warning: The package is using an outdated signature method (SHA1).

     

    Signing Certificate:

            Issued to  : MY COMPANY

            Issued by  : GlobalSign CodeSigning CA - SHA256 - G3

            From       : Wed Mar 15 12:21:59 2017

            Expiry     : Sun Mar 15 12:21:59 2020

            Sign Method: RSA/SHA256

            SHA1 hash  : 88 3e e6 28 0e 8a 38 e5  52 e0 ce 4e 23 e9 4d af

    41 bd 48 8b

     

     

    VsixSignTool Success: Package "MyExtension.vsix" is valid.

     

    Number of files successfully Verified: 1

    Number of errors: 0

    I guess the use of SHA1 is the problem, but that is just a guess.

    Here's the source code I used:

    using System;
    using System.Collections.Generic;
    using System.IO;
    using System.IO.Packaging;
    using System.Security.Cryptography.X509Certificates;
    namespace Sign
    {
        class Program
        {
            static void Main(string[] args)
            {
                string vsix = @"MyExtension.vsix";
                var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
                store.Open(OpenFlags.ReadOnly);
                var cert = store.Certificates[1];
                using (Package package = Package.Open(vsix, FileMode.Open))
                {
                    var signatureManager = new PackageDigitalSignatureManager(package);
                    signatureManager.CertificateOption = CertificateEmbeddingOption.InSignaturePart;
                    signatureManager.RemoveAllSignatures();
                    //signatureManager.HashAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
                    List<Uri> toSign = new List<Uri>();
                    foreach (PackagePart packagePart in package.GetParts())
                    {
                        toSign.Add(packagePart.Uri);
                    }
                    toSign.Add(PackUriHelper.GetRelationshipPartUri(signatureManager.SignatureOrigin));
                    toSign.Add(signatureManager.SignatureOrigin);
                    toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
                    try
                    {
                        signatureManager.Sign(toSign, cert);
                    }
                    catch (Exception ex)
                    {
                        Console.WriteLine("Signing could not be completed: " + ex.Message, "Signing Failure");
                    }
                }
            }
        }
    }

    Notice the line

    //signatureManager.HashAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";

    When I uncomment it, I get an exception: Unsupported hash algorithm specified.

    So it seems I have no other option but to hope for a vsixsigntool.exe bug fix soon.


    Monday, March 20, 2017 12:03 PM
  • @Kris Vandermotten,

    Since you have worked out this is a vsixsigntool.exe bug, you can mark you answer first which is benefit to other communities who has the same problem. Thanks.


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, March 21, 2017 7:58 AM
  • @Leo-Liu I'm sorry, but knowing that there is a bug in vsixsigntool is not exactly the solution to the problem, and knowing it benefits nobody. I'm looking for a bug fix.
    Tuesday, March 21, 2017 7:11 PM
  • I have found a solution: https://github.com/vcsjones/OpenVsixSignTool
    Monday, May 29, 2017 7:30 AM