Support signed extensions

[vazexqi]

What is the story around signing VS Code extensions? I see that the vsce tool can package and publish .vsix files but there doesn't appear to be an option to sign them. I believe that .vsix files can be signed (https://docs.microsoft.com/en-us/visualstudio/extensibility/signing-vsix-packages).

What options do we have if we want to have stricter validation of the .vsix packages that we distribute and that our users install?

[vazexqi]

FWIW, it appears that I can use the VSIXSignTool and the .vsix is verified when I run vsixsigntool.exe \verify. The signed .vsix can be installed and runs in VS Code. However, when I install the the .vsix from VS Code there is neither indication or verification that the .vsix is signed.

[joaomoreno]

No current support. It's a happy case that VS Code actually manages to installed a signed vsix. 👍

[vazexqi]

I'll monitor this issue. Let us know when you are working on it from the backlog and we will be happy to try it out.

For now, what we will do is provide a SHA256 of the .vsix on our product's page. That way, anyone can follow the steps at https://code.visualstudio.com/docs/editor/extension-gallery#_common-questions to manually download the .vsix and verify the checksums before installing them.

We have tried this with a small example and confirmed that the .vsix is not modified during upload, storage or download from the VS Code Marketplace.

[WinuxNomacs]

Sorely necessary. Visual Studio has had this for years now, including express. Lack of signature verification appears to be a significant oversight. Especially when Microsoft's own plugins (for example LiveShare) can't even be signed for their own editor. But then I guess they're fairly used to letting the world's computer population get pwned by malware and issuing a worthless "sorry, we f'd up again" ¯_(ツ)_/¯

[luispDesktop]

We were looking for VSCode to support signing validation as Visual Studio does as they both produce .vsix files.

[tony--]

+1

[tr4nc3]

Is this being planned anytime soon? This should be table steaks for a company like Microsoft that's a leader in security.