Support signed extensions #191
Comments
|
FWIW, it appears that I can use the VSIXSignTool and the .vsix is verified when I run vsixsigntool.exe \verify. The signed .vsix can be installed and runs in VS Code. However, when I install the the .vsix from VS Code there is neither indication or verification that the .vsix is signed. |
joaomoreno
changed the title
|
No current support. It's a happy case that VS Code actually manages to installed a signed vsix. 👍 |
|
I'll monitor this issue. Let us know when you are working on it from the backlog and we will be happy to try it out. For now, what we will do is provide a SHA256 of the .vsix on our product's page. That way, anyone can follow the steps at https://code.visualstudio.com/docs/editor/extension-gallery#_common-questions to manually download the .vsix and verify the checksums before installing them. We have tried this with a small example and confirmed that the .vsix is not modified during upload, storage or download from the VS Code Marketplace. |
* Simplify command invocations are npm scripts * Add shortcuts for running these commands from VS Code * Use shx to run scripts in platform-agnostic manner * Add scripts to help with packaging and publishing of .vsix * Add instructions on how to publish * Clarify how to run on Windows @W-4162004@
|
Sorely necessary. Visual Studio has had this for years now, including express. Lack of signature verification appears to be a significant oversight. Especially when Microsoft's own plugins (for example LiveShare) can't even be signed for their own editor. But then I guess they're fairly used to letting the world's computer population get pwned by malware and issuing a worthless "sorry, we f'd up again" ¯_(ツ)_/¯ |
joaomoreno
added
feature-request
|
We were looking for VSCode to support signing validation as Visual Studio does as they both produce .vsix files. |
|
+1 |
|
Is this being planned anytime soon? This should be table steaks for a company like Microsoft that's a leader in security. |
|
Excuse me, do we support this feature now? |
What is the story around signing VS Code extensions? I see that the
vscetool can package and publish .vsix files but there doesn't appear to be an option to sign them. I believe that .vsix files can be signed (https://docs.microsoft.com/en-us/visualstudio/extensibility/signing-vsix-packages).What options do we have if we want to have stricter validation of the .vsix packages that we distribute and that our users install?
The text was updated successfully, but these errors were encountered: