Wednesday, October 16, 2024

Code signing a VSIX Package with a certificate from DigiC**t

Let's avoid why you might want to do it, but if you need to sign a VSIX package with a certificate from the DigiCert KeyLocker (using their hosted Hardware module service) referenced with a certificate stored in the Windows Certificate Manager, I have important details for you.

A VSIX Installer showing a signed package

Here's the thing.

DigiCert claim that you can use their certificates to sign a .vsix file using SignTool.exe. You can't.

SignTool does not support signing VSIX files.

Previously, the recommended way to sign a VSIX package was with VsixSignTool, but this has now been deprecated.

The current (October 2024) recommended solution is to use the Sign CLI tool instead.

That's all well and good, but there aren't any clear instructions (anywhere!) that explain how to do this with a code signing certificate hosted in a DigiCert KeyLocker.

If you're trying to do this, I'd recommend not contacting DigiCert support as they're likely to tell you something like:

It seems our documentation is correct, it is supported, but does not specify the "how". As that would be listed as a third party custom configuration, which is something that is not supported at this time.

That's not at all helpful.

They may also point you to this (devblogs) blog post, but that still doesn't contain a complete working example for this scenario.


Here's what I recommend (based on what I've managed to get working and now use--don't ask how long it took to get working as it's very depressing.):

  • Set up your machine following DigiCert's instructions until you get to a point where you can successfully sign a .dll file with smctl.exe.
  • Install the SIGN tool
  • Install KeyStore Explorer.
  • Use KeyStore Explorer to get the SHA256 version of the fingerprint for the certificate you wish to use. (and remove the colons between values)
  • Sign the VSIX with a command like this:
sign code certificate-store {Path-to-VSIX-file} -cfp {SHA256-fingerprint} -csp "DigiCert Software Trust Manager KSP" -k {certificate-friendly-name} -u "http://timestamp.digicert.com"

e.g. (some values shortened)

sign code certificate-store "D:\output\MyExtension.vsix" -cfp 4AD4D3E4...7C2A -csp "DigiCert Software Trust Manager KSP" -k key_7...670 -u "http://timestamp.digicert.com"


I hope this helps someone.

Yes, using something like AzureKeyVault is probably preferable. If you have detailed, up-to-date instructions on how to set this up, please share them.




Thursday, October 10, 2024

It's been a while

I'd guess that the majority of personal blogs in existence have a final post that talks about apologizing for not posting in a while and then promises that this will change and they'll stat posting again soon...


Yes, I've been quiet for a while. 

At the start of the year, I made plans to leave the project I was working on to spend some time reassessing what was important and what I wanted to do in the future. That time was interrupted by me rupturing the Achilles tendon in my right leg and being forced into 3 months of virtual immobility. This not only ruined my summer plans (and those for the rest of the year) but also kept me away from my desk and my computer(s). There were positives and negatives to this.


But now I'm back. As I start to get back into things I'm planning on working through the many, many draft blog posts I have and finishing and publishing them where appropriate.

If the next few posts seem very random and unrelated, that'll be why.

Developers like us pledge to support open-source

I was recently previously contributing to a project when something broke on the CI builds due to an issue with how a referenced library was misconfigured.

I didn't realize the library was being used. It was configured in a way that meant it didn't show up inside Visual Studio when working with the solution.

I also knew this library had a special (moral) license. This "required" those using it to support the project financially, but the business wasn't.

I wasn't using the functionality of the library, but when I discovered this, I did two things:

1. I made a personal financial contribution to the project.

2. I highlighted this to the business and indicated that they should be financially supporting the project if they wished to keep using the library. (The person who originally added the library pleaded ignorance--"But, it's open source, so we don't need to pay.")


People like us (developers like us):

  • Support the people writing open-source software. Financially if possible (and requested).
  • Respect the spirit of open-source licenses. Not just the minimum, enforceable legal requirements.


This incident raises other, bigger questions, but I'll discuss them at another time—maybe.


However, I mention this because I recently heard about the Open Source Pledge. An initiative to help encourage companies to "Do the right thing, support Open Source".

No, it's not going to solve the problem of funding and support for open source maintainers, but it will help.