Open vazexqi opened 7 years ago
vazexqi
commented
7 years ago FWIW, it appears that I can use the VSIXSignTool and the .vsix is verified when I run vsixsigntool.exe \verify. The signed .vsix can be installed and runs in VS Code. However, when I install the the .vsix from VS Code there is neither indication or verification that the .vsix is signed.
joaomoreno
commented
7 years ago No current support. It's a happy case that VS Code actually manages to installed a signed vsix. 👍
vazexqi
commented
7 years ago I'll monitor this issue. Let us know when you are working on it from the backlog and we will be happy to try it out.
For now, what we will do is provide a SHA256 of the .vsix on our product's page. That way, anyone can follow the steps at https://code.visualstudio.com/docs/editor/extension-gallery#_common-questions to manually download the .vsix and verify the checksums before installing them.
We have tried this with a small example and confirmed that the .vsix is not modified during upload, storage or download from the VS Code Marketplace.
WinuxNomacs
commented
6 years ago Sorely necessary. Visual Studio has had this for years now, including express. Lack of signature verification appears to be a significant oversight. Especially when Microsoft's own plugins (for example LiveShare) can't even be signed for their own editor. But then I guess they're fairly used to letting the world's computer population get pwned by malware and issuing a worthless "sorry, we f'd up again" ¯_(ツ)_/¯
luispDesktop
commented
5 years ago We were looking for VSCode to support signing validation as Visual Studio does as they both produce .vsix files.
tony--
commented
4 years ago +1
tr4nc3
commented
4 years ago Is this being planned anytime soon? This should be table steaks for a company like Microsoft that's a leader in security.
yankunhuang-pku
commented
4 years ago Excuse me, do we support this feature now?
lppedd
commented
2 months ago vsce seems to offer a --sign-tool option now. Haven't seen any documentation or blog post about it tho.
sandy081
commented
2 months ago We are working on allowing signing extensions and it is still in progress. We will provide all details and documentation once we finalise on it. Thanks.
anandbibek
commented
6 days ago Is there any progress or official word on this feature? I see FAQ at https://code.visualstudio.com/docs/editor/extension-gallery#_common-questions mentions that marketplace extensions are signed and verified. How does it apply to standalone offline distributed extensions?
What is the story around signing VS Code extensions? I see that the
vscetool can package and publish .vsix files but there doesn't appear to be an option to sign them. I believe that .vsix files can be signed (https://docs.microsoft.com/en-us/visualstudio/extensibility/signing-vsix-packages).What options do we have if we want to have stricter validation of the .vsix packages that we distribute and that our users install?