Securing your VSIX package with a digital signature enhances its security and deters unauthorized modifications. When installing, the VSIX installer shows the digital signature and provides a link to the certificate. Any unauthorized changes to the VSIX content, without a corresponding update to the digital signature, will prompt the installer to alert the user about a compromised package signature.
eSigner CKA (Cloud Key Adapter) is a Windows application that utilizes the CNG (KSP Key Service Provider) interface to enable tools like certutil.exe and signtool.exe to access the eSigner Cloud Signature Consortium (CSC) API for enterprise code signing tasks. Functioning as a virtual USB token, it loads code signing certificates directly into the Windows certificate store.
Requirements
- Purchase an SSL.com Code Signing Certificate or Extended Validation (EV) Code Signing Certificate
- Enroll your code signing certificate in eSigner
- Download and install eSigner CKA
Steps to Sign
- Download Dotnet Core SDK: https://dotnet.microsoft.com/en-us/download/dotnet/7.0
- Install OpenVSIXSignTool
dotnet tool install -g OpenVsixSignTool - Use this sign command:
OpenVsixSignTool sign --sha1 CERTIFICATE THUMBPRINT --timestamphttp://ts.ssl.com-ta sha256 -fd sha256 "SIGNABLE FILE PATH"