none
VSIX signing

    Question

  • Hi,

    I signing my VSIX package using the VSIXSignTool as described here the command says the package was successfully signed but when try to install the VSIX package it says the extension contains an invalid digital signature.

    I building my extension with Visual Studio 2012 on Windows 10 if that matters, I haven't see this kind of problems before when building my extension in Windows 8.1 with Visual Studio 2012.

    I also get the same problem if try to sign the extension using the PackageDigitalSignatureManager in my custom sign task

    Any ideas what can be going wrong here?


    • Edited by pepone.onrez Friday, August 7, 2015 5:32 PM broken link
    Friday, August 7, 2015 1:43 PM

Answers

  • Coincidently, I'm working with a customer with the same problem.

    If the VSIX targets VS 2013 and VS 2015, you'll still need to specify SHA1 with the VsixSignTool.exe, using the "/fd SHA1" argument when invoking VsixSignTool.exe.

    The issue was also compounded by a known bug in the Extension Manager, which should be getting fixed with the next update for VS 2015. Right now, the dev team recommends using the following as a workaround:

    <InstallationTarget Id="Microsoft.VisualStudio.Pro" Version="[12.0,)" />

    Instead of

    <InstallationTarget Id="Microsoft.VisualStudio.Pro" Version="[12.0,14.0)" />

    Sincerely,


    Ed Dore

    Tuesday, September 1, 2015 10:38 PM
    Moderator

All replies

  • If I sign my VSIX package in a Windows 7 machine without Visual Studio 2015, then VSIX install shows correctly the signature when installing in Visual Studio 2012 and Visual Studio 2013, for Visual Studio 2015 it shows a warming about an obsolete signature algorithm being used.

    If I sign the extension in Windows 10 with the new vsixsigntool in a machine with Visual Studio 2015 I'm not able to install the VSIX package on older Windows 7 machines, it complains about the signature algorithm, uploading to the gallery also fails in this case.

    Friday, August 7, 2015 5:32 PM
  • Hello,

    As the document says,

    Beginning in 2015, VSIX packages signed using anything other than   SHA256 encryption will be identified as having an invalid signature. VSIX   installation is not blocked but the user will be warned.

    Did you signe it by using SHA256 encryption?


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, August 10, 2015 8:11 AM
    Moderator
  • Hi,

    I'm using SHA256 encryption

     Signing bin\Release\IceBuilder.vsix
    vsixsigntool.exe sign /f mycert.pfx /p password /sha1 "...." /v bin\Release\IceBuilder.vsix
    
    The following certificate was selected:
           Issued to  : ....
           Issued by  : ....
           From       : Wed Aug  5 02:00:00 2015
           Expiry     : Wed Aug  8 14:00:00 2018
           Sign Method: RSA/SHA256
           SHA1 hash  : ....
    
     VsixSignTool Success: Package "bin\Release\IceBuilder.vsix" was signed successfully.
    
     Number of files successfully Signed: 1
     Number of errors: 0
    Installing on Windows 10 machine I see, in this machine I have Visual Studio 2012/2013/2015 installed and the corresponding SDKs.

    Monday, August 10, 2015 12:51 PM
  • In a different machine running Windows 7 with Visual Studio 2012/2013 installed I get the following error on install:

    8/10/2015 2:57:20 PM - System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
       at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
       at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
       at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)
       at MS.Internal.IO.Packaging.XmlDigitalSignatureProcessor.Verify(X509Certificate2 signer)
       at System.IO.Packaging.PackageDigitalSignature.Verify(X509Certificate signingCertificate)
       at System.IO.Packaging.PackageDigitalSignature.Verify()
       at Microsoft.VisualStudio.ExtensionManager.InstallableExtensionImpl.GetSignatureState(ZipPackage vsixPackage)
       at Microsoft.VisualStudio.ExtensionManager.InstallableExtensionImpl.get_SignatureState()
       at VSIXInstaller.App.LogExtensionDetails(IExtension extension)
       at VSIXInstaller.App.InitializeInstall()
       at System.Threading.Tasks.Task.InnerInvoke()
       at System.Threading.Tasks.Task.Execute()


    Monday, August 10, 2015 1:02 PM
  • Hi,

     We ran into the same problem.  This is what we discovered so far:

     We tried to target our VSIX package for both VS 2013 and VS 2015 and we received the same 'invalid signature' error.  This message is misleading because we use SHA256 and our digital signature is not invalid.  To proof this if we changed the VSIX package to only target VS 2015 and the 'invalid signature' message goes away and we suddenly get the correct 'valid' digital signature.  Unfortunately we can't find any explanation for this, however, if you go through the vsix extensions on Visual Studio gallery you will find plenty of extensions that target multiple versions of Visual Studio and if you try to install them you will get the 'invalid signature' error.  We are still looking for a solution other than creating multiple versions of VSIX: vsix for 2013, vsix for 2015 - there has to be better way ;-)

    Monday, August 31, 2015 5:53 PM
  • Coincidently, I'm working with a customer with the same problem.

    If the VSIX targets VS 2013 and VS 2015, you'll still need to specify SHA1 with the VsixSignTool.exe, using the "/fd SHA1" argument when invoking VsixSignTool.exe.

    The issue was also compounded by a known bug in the Extension Manager, which should be getting fixed with the next update for VS 2015. Right now, the dev team recommends using the following as a workaround:

    <InstallationTarget Id="Microsoft.VisualStudio.Pro" Version="[12.0,)" />

    Instead of

    <InstallationTarget Id="Microsoft.VisualStudio.Pro" Version="[12.0,14.0)" />

    Sincerely,


    Ed Dore

    Tuesday, September 1, 2015 10:38 PM
    Moderator
  • Thanks Ed,

     The workaround seems to work fine - at least for VS 2013 + VS 2015.  Thanks much.

    Tuesday, September 1, 2015 10:46 PM
  • Hi Ed Dore,

    For our extension we target VS2015, 2013, 2012 and 2010. And we use vsix schema 1.0 to support all 4 VS. So we can't use the workaround modifying InstallationTarget. Do you have a solution for schema 1.0?

    Regards,

    Alan

    

    Thursday, December 17, 2015 2:19 AM
  • In case anyone else finds this page...

    I've found a similar problem with an extension that supports VS2015 and Atmel Studio 7 (which is based on the VS2015 shell)If my InstallationTarget only specifies "Microsoft.VisualStudio.Pro" & "Microsoft.VisualStudio.Premium" it gets a valid digital signature, but if it also tries to target "AtmelStudio", it suddenly becomes an invalid digital signature.

    Tuesday, January 26, 2016 11:48 PM