You can now leverage Sign CLI for a more secure, modern way to sign your Visual Studio extensions. Signing your VSIX packages improves security, prevents tampering, and builds trust with your users. This integration makes it easier and more convenient to sign your packages than ever before!
Sign CLI replaces the older VSIXSignTool with a modern, general purpose sign tool that’s actively maintained and kept up to date with the latest security standards. It supports cloud and local signing from a variety of sources and can also fit seamlessly into your CI pipeline for easy integration. Continue reading to learn how to enhance your extension publishing workflow by using Sign CLI!
Obtain a code signing certificate
To sign your VSIX, you’ll need a valid EV or standard certificate from a public certificate authority that utilizes SHA 256, SHA 384, or SHA 512 digest algorithms. Windows supports certificates from many popular certificate authorities, such as Certum, Comodo, DigiCert, GlobalSign, SSL.com, and more.
For a full list of trusted partners, please see https://aka.ms/TrustCertPartners.
Get ready to sign your extensions
To start using Sign CLI to sign your extension packages, you’ll first need to install it. It’s available as a dotnet tool on the nuget.org Gallery. To install, open Visual Studio’s integrated terminal using View > Terminal (or use the Ctrl+` shortcut), then use the commands below. Note that if you’re working outside of Visual Studio, you can access the Developer PowerShell by selecting Start in Windows then typing in “developer PowerShell”.
Install Sign CLI
The Sign tool is still a prerelease version, so you’ll need to include the `–prerelease` flag when you install to get the latest:
dotnet tool install sign --prerelease --global
To install a specific version, visit the versions tab on the Sign CLI page on nuget.org to find the version you’re interested in and use the following syntax:
dotnet tool install sign --global --version <version>
Offline installation
In the event you’re working in an isolated environment, you can download the Sign CLI NuGet package you want and install it using:
dotnet tool install --global --version <version> --add-source <path to folder> sign
Sign your VSIX using Sign CLI
Sign CLI supports cloud signing with Azure Key Vault or local signing using certificates and private keys stored in:
- PFX/P7B/CER files
- The Windows Certificate Manager
- A USB device with access to a Cryptographic Service Provider (CSP)
Once installed, you can use Sign CLI from a Visual Studio’s integrated terminal (View > Terminal).
For example, to sign a VSIX using a PFX file with a certificate and a private key, use a command like the following:
sign code certificate-store -cfp <SHA-256 fingerprint> -cf "D:\Certs\my.pfx" -d "VSIX Signature" -u "http://timestamp.acs.microsoft.com/" "C:\Users\Contoso\Downloads\FingerSnapper2022.vsix"
Or to sign a VSIX using the Microsoft Certificate Manager:
sign code certificate-store -cfp <SHA-256 fingerprint> -d "VSIX Signature" -u "http://timestamp.acs.microsoft.com/" "C:\Users\Contoso\Downloads\FingerSnapper2022.vsix"
For more detailed instructions, please visit our Signing VSIX Packages article where you can also find a breakdown of all of the command-line options for Sign.
Let us know what you think
As you use Sign CLI to sign your extensions, please use the Issues tracker on the Sign CLI GitHub repo to report any issues or bugs you experience. If you want to provide general feedback on extension signing or to suggest additional features, please create a feedback ticket at the Visual Studio Developer Community.
We’re excited to hear from you!