none
Signing VSIX installer. RRS feed

  • Question

  • Dear experts,

    I have a VSIX extension that installs and works fine in VS2017-19. However, in the installer wizard window the Digital Signature line is "none". I decided to try to sign it with a self-signed certificate. I generated a self-signed certificate with Powershell New-SelfSignedCertificate commandlet. After that, I used VsixSignTool like that:

    vsixsigntool sign /v /f Unicomsi.pfx /p <password> /fd sha256 MyVSIX.vsix

    The VsixSignTool output upon completion was:

    The following certificate was selected:
            Issued to  : www.unicomsi.com
            Issued by  : www.unicomsi.com
            From       : Wed Sep 18 10:55:49 2019
            Expiry     : Fri Sep 18 11:15:49 2020
            Sign Method: RSA/SHA256
            SHA1 hash  : ac ae 6b af 26 e0 89 ef  ac d4 ef cb c7 e0 6f 26
    06 1d 69 b8


    VsixSignTool Success: Package "PurifyPlusVSIX.vsix" was signed successfully.

    Number of files successfully Signed: 1
    Number of errors: 0

    So far so good. Now, when I start MyVSIX.vsix, the installation wizard comes up and in the Digital Signature line I see the following: "Invalid Certificate". This is more troublesome than "none".

    I have the following questions:

    1. Is it possible to sign a VSIX installer with a sefl-signed certificate?

    2. If certificate is not valid, why vsixsigntool reports success? This is very confusing.

    3. Is there a way to diagnose VSIX digital signature and find more details on what makes a certificate invalid?

    Thank you,

    Victor

    Thursday, September 19, 2019 12:44 AM

Answers

  • OK. I have figured it out. The reason for "Invalid Certificate" message was the broken certification authority chain. Since this certificate was self-signed, the issuer was not in the "Trusted Root Certification Authorities" store. As the result, certificate validation was resulting in error CERT_E_UNTRUSTED_ROOT. After this certificate was imported into the trusted root store, the installer shows the valid signature. I think both vsixsigntool and openvsixsigntool should test certificate for validity before signing the VSIX package.

    • Marked as answer by vlh7 Tuesday, September 24, 2019 7:43 PM
    Tuesday, September 24, 2019 7:43 PM

All replies

  • Hi vlh7,

    Welcome to MSDN forum.

    >>1. Is it possible to sign a VSIX installer with a sefl-signed certificate?

    Yes, we could sign a self-signed certificate. Please refer this DOC.

    >>2.If certificate is not valid, why vsixsigntool reports success? This is very confusing.

    Not sure if it is related to the options, it may also be a problem for vsixsigntool.

    >>3.Is there a way to diagnose VSIX digital signature and find more details on what makes a certificate invalid?

    You could try to use this tool to sign your VSIX packages. And I found a open-source tool could help you digitally sign with VsixSignTool.

    Hope it could help you.

    Best Regards,

    Dylan



    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Thursday, September 19, 2019 7:00 AM
  • Hi Victor,

    Can you also describe the commandline use used to invoke the commandlet that created the test certificate?

    Thanks,


    Ed Dore

    Thursday, September 19, 2019 10:13 PM
    Moderator
  • Hi Dylan,

    Thank you for your response. I tried the tool at the link you provided. When I run it with my self-signed certificate, it gives the following message: "The digital signature is invalid, there may have been a problem with the signing process". I am not sure where to go from here. I suspect this tool was created for VS2010 and probably does not support SHA2 certificates required for VS2015 and better. But I am not sure. The error message doesn't provide much details.

    Victor.

    Thursday, September 19, 2019 11:40 PM
  • Hi Ed,

    The command line is pretty straightforward:

    New-SelfSignedCertificate -Type CodeSigningCert -DnsName www.unicomsi.com -CertStoreLocation Cert:\CurrentUser\My

    After it runs, it creates the following certificate:

    PS C:\Windows\system32> ls Cert:\CurrentUser\My\ACAE6BAF26E089EFACD4EFCBC7E06F26061D69B8 |fl *
    
    
    PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\ACAE6BAF26E089EFACD4EFCBC7E06F2606
                               1D69B8
    PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
    PSChildName              : ACAE6BAF26E089EFACD4EFCBC7E06F26061D69B8
    PSDrive                  : Cert
    PSProvider               : Microsoft.PowerShell.Security\Certificate
    PSIsContainer            : False
    EnhancedKeyUsageList     : {Code Signing (1.3.6.1.5.5.7.3.3)}
    DnsNameList              : {www.unicomsi.com}
    SendAsTrustedIssuer      : False
    EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
    EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
    PolicyId                 :
    Archived                 : False
    Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                               System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName             :
    IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter                 : 9/18/2020 11:15:49 AM
    NotBefore                : 9/18/2019 10:55:49 AM
    HasPrivateKey            : True
    PrivateKey               :
    PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
    RawData                  : {48, 130, 3, 35...}
    SerialNumber             : 1FA7A73576C266BE4AE74442FBCAA61A
    SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm       : System.Security.Cryptography.Oid
    Thumbprint               : ACAE6BAF26E089EFACD4EFCBC7E06F26061D69B8
    Version                  : 3
    Handle                   : 315655197008
    Issuer                   : CN=www.unicomsi.com
    Subject                  : CN=www.unicomsi.com
    
    

    This looks legit to me, but I am not sure what requirements are imposed on VSIX package signature.

    Appreciate your help.

    Victor.

    Thursday, September 19, 2019 11:49 PM
  • Hi vlh7,

    Thank you for feedback.

    Please have a try to use OpenOpcSignTool with VsixSignTool. Look forward to your feedback.

    Best Regards,

    Dylan



    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Friday, September 20, 2019 7:26 AM
  • Hi Dylan,

    I have downloaded, built and installed the OpenVsixSignTool from GitHub.

    Used it with the following command:

    openvsixsigntool sign --sha1 ACAE6BAF26E089EFACD4EFCBC7E06F26061D69B8 --timestamp http://timestamp.digicert.com -ta sha256 -fd sha256 MyVSIX.vsix
    The signing operation is complete.

    WhenWhen I start MyVSIX.VSIX, I still see "Invalid Certificate" in the signature line.

    At the moment I do not think that the problem is with the signing tool. The problem is most likely with the certificate itself. For some reason VSIX installer thinks the certificate is not valid. As I have pointed out before, I have generated this certificate using the Powershell new-selfsignedcertificate commandlet. You can find details in my previous message.

    Thank you for your help,

    Victor.


    Friday, September 20, 2019 8:08 PM
  • Hi Dylan,

    Any insight on what could be wrong with the certificate? What part of the certificate makes it "Invalid"?

    I tried to sign a DLL with the same certificate and it seems to be OK. Visual Studio Installer, however, does not like it. Are there any special requirements on the VS Installer side for self-signed certificates?

    Regards,

    Victor.

    Monday, September 23, 2019 5:51 PM
  • OK. I have figured it out. The reason for "Invalid Certificate" message was the broken certification authority chain. Since this certificate was self-signed, the issuer was not in the "Trusted Root Certification Authorities" store. As the result, certificate validation was resulting in error CERT_E_UNTRUSTED_ROOT. After this certificate was imported into the trusted root store, the installer shows the valid signature. I think both vsixsigntool and openvsixsigntool should test certificate for validity before signing the VSIX package.

    • Marked as answer by vlh7 Tuesday, September 24, 2019 7:43 PM
    Tuesday, September 24, 2019 7:43 PM