Let's avoid why you might want to do it, but if you need to sign a VSIX package with a certificate from the DigiCert KeyLocker (using their hosted Hardware module service) referenced with a certificate stored in the Windows Certificate Manager, I have important details for you.
Here's the thing.
DigiCert claim that you can use their certificates to sign a .vsix file using SignTool.exe. You can't.
SignTool does not support signing VSIX files.
Previously, the recommended way to sign a VSIX package was with VsixSignTool, but this has now been deprecated.
The current (October 2024) recommended solution is to use the Sign CLI tool instead.
That's all well and good, but there aren't any clear instructions (anywhere!) that explain how to do this with a code signing certificate hosted in a DigiCert KeyLocker.
If you're trying to do this, I'd recommend not contacting DigiCert support as they're likely to tell you something like:
It seems our documentation is correct, it is supported, but does not specify the "how". As that would be listed as a third party custom configuration, which is something that is not supported at this time.
That's not at all helpful.
They may also point you to this (devblogs) blog post, but that still doesn't contain a complete working example for this scenario.
Here's what I recommend (based on what I've managed to get working and now use--don't ask how long it took to get working as it's very depressing.):
- Set up your machine following DigiCert's instructions until you get to a point where you can successfully sign a .dll file with smctl.exe.
- Install the SIGN tool.
- Install KeyStore Explorer.
- Use KeyStore Explorer to get the SHA256 version of the fingerprint for the certificate you wish to use. (and remove the colons between values)
- Sign the VSIX with a command like this:
I hope this helps someone.
Yes, using something like AzureKeyVault is probably preferable. If you have detailed, up-to-date instructions on how to set this up, please share them.