Monday, November 18, 2024

Here's how I wasted $249 on code signing, so you don't have to!

I don't have positive experiences with code signing.

As of today I have another tale of confusion, frustration, anger, disappointment, and expense.


I'll try and keep this to just the facts, so I don't let my emotions carry me away:

  • I sign my VSIX (Visual Studio extension) and NuGet packages with a code signing certificate.
  • I use a hosted Code Signing solution from DigiCert.
  • Their certificates are initially limited to signing 1000 files per year. (Additional issuances are available for $249 for another 1000.)
  • I got through my initial thousand MUCH faster than I was expecting.  
  • I found out I'd used my allocation when signing suddenly started failing.
  • It turns out that, when signing a .vsix file, the default behaviour is to also (first) sign all the files inside the package and then sign the package as a whole.
  • Even if the internal files are already signed.
  • Regardless of where the files in the package are from.
  • So, when I thought I was signing one file, under the hood it was signing many more.
  • In some cases it was signing 30-40 files each time.
  • In the past I bought the certificate, installed it on my build machine and it didn't matter how many files I signed a file (or multiple packages in a file.)
  • Now that everything is a subscription (and especially for expensive ones), it becomes even more important to understand how the things you're using work and you may end up being billed for using them.
  • No, the documentation on this is far from extensive, clear, or useful.
  • I worked out the solution based on the description here "Some artifacts are containers that contain other signable file types."
  • Then I found the setting `--filelist` in the documentation at https://learn.microsoft.com/en-us/visualstudio/extensibility/dotnet-sign-cli-reference-vsix?view=vs-2022#options 
  • I've now updated all my signing scripts to only sign what's absolutely necessary. As an example see this commit.



Not mentioned: dealing with DigiCert support and how they made it hard for me to pay them money to buy more "issuances". :'(

Wednesday, November 13, 2024

I've used future versions of Visual Studio for years

At least, that's how I've convinced myself to think about it. 

What I'm referring to is the large number of extensions I've built for Visual Studio and how, slowly, many of them become built-in features of the product itself.
It's not that my past effort has become unnecessary. It's that everyone else is catching up.


Visual Studio version 17.12 is now out. At the top of the list of new productivity features is the ability to copy just the description from the Error List, by default, rather than the full row.

I have an extension in the marketplace that does this. It's called ErrorHelper & it's been in existence for more than five years!

partial screenshot showing the context menu options that the extension provides

My extension also does more!

It allows searching for the error message/description (in the search engine of your choice) directly from Visual Studio.
Yes, VS now makes it easier to copy only the text of the description, but without my extension, you still have to go to the browser and search engine and paste it there. Or you could do it in one click.

As some error descriptions include file paths that can impact results or be something you don't want to share, there's also the option to do the search with the path removed. No need to manually remove the path from the text you've copied.

Additionally, as some error descriptions include a URL to get more information, you can directly open the URL in your default browser. No need to manually extract the URL from the other text and then paste that into your browser.


Having the Search and Open URL features has made me feel more productive every time I've used them. Yes, working with error descriptions isn't a massively complicated process but it previously felt slow and frustrating. It was a "paper-cut" that interrupted my flow and felt like more effort than it needed to be. That's why I first made the extension.

It's great that this feature has been added to the product, but it's sad that Microsoft has only gone so far.
They've said that they made this change in response to listening to feedback from developers who have told them that it was harder than necessary to search for error messages with the old functionality.
What has been implemented seems like only part of a solution to that problem. Copying the text to search for is only the first step in searching for an answer. Were they really listening that closely to the real problem if they only implemented half a solution?


They've also said that when choosing which features to add, they avoid adding things that are already possible via existing extensions. However, in their examples of this, they only mention existing extensions that were created by Microsoft staff. I guess my extensions don't count. :(


I also have many other extensions available in the Visual Studio marketplace that you could begin using to improve your productivity now rather than wait for something similar (but possibly not as good) to be added to VS itself.


Naming is important, but consistency possibly moreso

Over on the MAUI repo, I've just started a discussion relating to the naming of code, particularly in relation to what is provided by default and the impact it can have.

Yes, I know that naming is difficult and subjective.

I started the discussion less to debate the names used but more to focus on the consequences of inventing new terms or using terms other than those that the population of likely users is most likely to already be familiar with.

There may be times when new or different terminology is required or preferred, but when that's the case:

  • It is essential to explain why the change has been made, or the alternative is being used.
  • Need to use the new convention consistently. This includes updating existing documentation, samples, and instructions.
  • There needs to be a clear reason/justification for the extra work (& short-term confusion) a change in terminology will create.
  • Filtering for personal preferences and justifications based on "how we've always done it" and the potential to "try something new" must also be factored in.

This is probably also a good reminder to me that "those who show up make the difference."

I also need to remember to motivate myself over the things I care about so that the enthusiastic but under-informed squeaky wheels don't cause avoidable issues for others.

Monday, November 11, 2024

cool Vs better

Some people want to make cool things.
But, what if it's only cool for the sake of being cool?
It may be cool, because it's its new but not measurably better (and improvement) in any way.
But what if the cool new thing is different and new and so not easily comparable with what already exists.
What if cool new thing promotes responses like "it looks good, but I'm. It sure what we'd like ever [pay to] use it for".
What if you make a cool new thing but can't justify why someone should use it, beyond it being "cool".

But,
Sometimes the benefits of a cool new thing aren't obvious. Sometimes the benefits aren't seen for a long time, or until someone with very different ideas and experiences finds a new use, or combines it with something else.

So,
How do you balance spending time on cool new things that may not have any short term benefit, and incremental, measurable improvements to what already exists?

Friday, November 08, 2024

Are your programming language criticisms misdirected?

Let's say you use a programming language that you don't like or have other issues with. Is that the language's fault or yours?
Why not use a different language? or technology?

If tooling makes the language easier to work with, is not using that tooling the language's fault?

If using a language that wasn't meant to be written by hand and writing it by hand (typed directly, without other tools) the fault of the language?

If the language is significantly easier to use via a tool and the company responsible for the language don't make good tools, is that the fault of the language or the company?

If a new tool makes directly working with the programming language unnecessary, does that indicate a failure of the language or that it shouldn't have been used that way? Or that the wrong tool/language was being used?

If a language was originally designed as way of storing output from a tool and you're now writing that "output" directly, does it make sense to write it the same way as the tool did? Or would it be better to write it in a way that's easier for you to read and write?

If you are unhappy with a language or how it's used, shouldn't you look at alternatives to that language or other ways of using/writing it?



Are you blaming someone or something else for your choices or lack of action?


Does the above offend you? Or is it a cause for action?