coder / code-marketplace

Open source extension marketplace for VS Code.
GNU Affero General Public License v3.0
222 stars 22 forks source link

All extensions show as unsigned by the Extension Marketplace preventing auto installation in VSCode 1.9.4+ #65

Open angrycub opened 6 days ago

angrycub commented 6 days ago

Problem Statement

It seems that VS Code 1.94+ is not compatible with extensions hosted in the code-marketplace. They all have this signature warning (Screenshot 1) which prevents them from being installed in the standard way i.e. blue Install button, or automatically if you’ve enabled auto updates. You can still install via the cog wheel if you proceed passed the warning (Screenshots 2 & 3).

🖥️ Screenshots **Screenshot 1** screenshot 1 **Screenshot 2** screenshot 2 **Screenshot 3** screenshot 3

Potentially related issues

janLo commented 2 days ago

We've experienced the very same issue. The signature seems not to be contained in the actual VSXI package. Instead, the extensionquery-API provides it as a separate asset for a given version.

Our solution is to download it separately (we have a mirroring mechanism which uses the extensionquery-API to fetch the version information of the extensions and passes new version assets to code-marketplace add) and put it manually next to the extension in our Artifactory repository. The reverse proxy in front of the marketplace then mangles the manifest response via embedded Lua to inject the signature asset in the response.

This way, VS Code can download the signature and stops complaining.

code-asher commented 1 day ago

Bringing over my notes from https://github.com/coder/code-marketplace/issues/67:

I think we will need to implement https://github.com/filiptronicek/node-ovsx-sign in Go. We generate what we need when an extension is added, or on demand for existing extensions for backwards compatibility.

This should also allow adding your own signatures since it will only generate if one does not already exist.