July 29th, 2024

Sign VSIX packages with Sign CLI

You can now leverage Sign CLI for a more secure, modern way to sign your Visual Studio extensions. Signing your VSIX packages improves security, prevents tampering, and builds trust with your users. This integration makes it easier and more convenient to sign your packages than ever before!

Screenshot of the VSIX Installer with the digital signature highlighted.

Sign CLI replaces the older VSIXSignTool with a modern, general purpose sign tool that’s actively maintained and kept up to date with the latest security standards. It supports cloud and local signing from a variety of sources and can also fit seamlessly into your CI pipeline for easy integration. Continue reading to learn how to enhance your extension publishing workflow by using Sign CLI!

Obtain a code signing certificate

To sign your VSIX, you’ll need a valid EV or standard certificate from a public certificate authority that utilizes SHA 256, SHA 384, or SHA 512 digest algorithms. Windows supports certificates from many popular certificate authorities, such as Certum, Comodo, DigiCert, GlobalSign, SSL.com, and more.

For a full list of trusted partners, please see https://aka.ms/TrustCertPartners.

Get ready to sign your extensions

To start using Sign CLI to sign your extension packages, you’ll first need to install it. It’s available as a dotnet tool on the nuget.org Gallery. To install, open Visual Studio’s integrated terminal using View > Terminal (or use the Ctrl+` shortcut), then use the commands below. Note that if you’re working outside of Visual Studio, you can access the Developer PowerShell by selecting Start in Windows then typing in “developer PowerShell”.

Install Sign CLI

The Sign tool is still a prerelease version, so you’ll need to include the `–prerelease` flag when you install to get the latest:

dotnet tool install sign --prerelease --global

To install a specific version, visit the versions tab on the Sign CLI page on nuget.org to find the version you’re interested in and use the following syntax:

dotnet tool install sign --global --version <version>

Offline installation

In the event you’re working in an isolated environment, you can download the Sign CLI NuGet package you want and install it using:

dotnet tool install --global --version <version> --add-source <path to folder> sign

Sign your VSIX using Sign CLI

Sign CLI supports cloud signing with Azure Key Vault or local signing using certificates and private keys stored in:

Once installed, you can use Sign CLI from a Visual Studio’s integrated terminal (View > Terminal).

For example, to sign a VSIX using a PFX file with a certificate and a private key, use a command like the following:

sign code certificate-store -cfp <SHA-256 fingerprint> -cf "D:\Certs\my.pfx" -d "VSIX Signature" -u "http://timestamp.acs.microsoft.com/" "C:\Users\Contoso\Downloads\FingerSnapper2022.vsix"

Or to sign a VSIX using the Microsoft Certificate Manager:

sign code certificate-store -cfp <SHA-256 fingerprint> -d "VSIX Signature" -u "http://timestamp.acs.microsoft.com/" "C:\Users\Contoso\Downloads\FingerSnapper2022.vsix"

For more detailed instructions, please visit our Signing VSIX Packages article where you can also find a breakdown of all of the command-line options for Sign.

Let us know what you think

As you use Sign CLI to sign your extensions, please use the Issues tracker on the Sign CLI GitHub repo to report any issues or bugs you experience. If you want to provide general feedback on extension signing or to suggest additional features, please create a feedback ticket at the Visual Studio Developer Community.

We’re excited to hear from you!

Author

Maia Kelner
Senior Program Manager
Dominic Nahous
Senior Lead Program Manager

Dominic is a Senior Lead Program Manager for Visual Studio and Visual Studio for Mac. His team focuses on ensuring a delightful experience for developers on both Windows and Mac.