openvsx icon indicating copy to clipboard operation
openvsx copied to clipboard

Published 20 hours ago verified publisher icon eclipse

Signature verification failed when installing or updating extension in code

Open sandr01d opened this issue 6 months ago • 4 comments

When trying to install any extension from the Oen VSX registry using open source build VSCode from the Arch Linux repository, the process fails with the following error message:

Signature verification failed with 'UnhandledException' error.

This does not happen when installing extensions from Microsofts registry. There is an issue regarding this in the Arch Linux issue tracker, but the maintainer is not sure whether this is an issue in code or OpenVSX, hoping somebody here can shed some light on this.

For reference, there was also an issue created on the VSCode upstream repository.

sandr01d avatar May 23 '25 18:05 sandr01d

This seems to be a behaviour change in newer VSCode versions that use PKCS7 signatures.

For example, considering the signature packages of the same extension from both OpenVSX and Microsoft:

  • https://lextudio.gallery.vsassets.io/_apis/public/gallery/publisher/lextudio/extension/restructuredtext/190.4.10/assetbyname/Microsoft.VisualStudio.Services.VsixSignature
  • https://openvsxorg.blob.core.windows.net/resources/lextudio/restructuredtext/190.4.10/lextudio.restructuredtext-190.4.10.sigzip

For completeness, here is an example output of the new vsce-sign tool when running on OpenVSX's signature file:

/usr/lib/code/node_modules/@vscode/vsce-sign/bin/vsce-sign verify --package ~'/.config/Code - OSS/CachedExtensionVSIXs/ziglang.vscode-zig-0.6.10-universal' --signaturearchive ~'/.config/Code - OSS/CachedExtensionVSIXs/ziglang.vscode-zig-0.6.10-universal.sigzip' --verbose
Package file size:  570225
Signature archive file size:  1227
Manifest file size:  1446
Signature file size:  0
Manifest file hash:  1RbuQlE3v5TUR+fcWSsMl7iaKvJrOH60CCrl5qwG+UM=
Signature file hash:  47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
Package file hash:  OYz/J1kBCOfLXL8KiwARuzPhH+vK9r3D1S7BfV4Rlt8=
System.Security.Cryptography.CryptographicException: Cryptography_Der_Invalid_Encoding
 ---> System.Formats.Asn1.AsnContentException: ContentException_InvalidTag
   at System.Formats.Asn1.Asn1Tag.Decode(ReadOnlySpan`1, Int32& )
   at System.Formats.Asn1.AsnDecoder.ReadTagAndLength(ReadOnlySpan`1, AsnEncodingRules, Nullable`1& , Int32& )
   at System.Formats.Asn1.AsnDecoder.ReadSequence(ReadOnlySpan`1, AsnEncodingRules, Int32& , Int32& , Int32& , Nullable`1 )
   at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable`1 )
   at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.DecodeCore(AsnValueReader&, Asn1Tag, ReadOnlyMemory`1, ContentInfoAsn& )
   at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader&, Asn1Tag, ReadOnlyMemory`1, ContentInfoAsn& )
   Exception_EndOfInnerExceptionStack
   at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader&, Asn1Tag, ReadOnlyMemory`1, ContentInfoAsn& )
   at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader&, ReadOnlyMemory`1, ContentInfoAsn& )
   at System.Security.Cryptography.Pkcs.SignedCms.<Decode>g__CopyContent|26_0(ReadOnlySpan`1)
   at System.Security.Cryptography.Pkcs.SignedCms.Decode(ReadOnlySpan`1)
   at System.Security.Cryptography.Pkcs.SignedCms.Decode(Byte[])
   at Microsoft.VisualStudio.Extensions.Signing.SignedData.DecodeAsync(Stream, Stream)
   at Microsoft.VisualStudio.Extensions.Signing.ExtensionPackage.VerifyAsync(VerifyOptions, CancellationToken)
   at Microsoft.VisualStudio.Extensions.Signing.CLI.Program.VerifyAsync(FileInfo packageFile, FileInfo manifestFile, FileInfo signatureFile, FileInfo signatureArchiveFile, Func`2 additionalPolicyFactory, Boolean isPpe, Boolean verifyEntries, Boolean requireMicrosoftPublisherSignature, Boolean requireNoExtraneousEntries, Boolean requireOnlyPublisherSignatureAndTimestamp, Boolean requirePublisherCertificateBeTimeValid, Boolean requireRevocationStatus, Boolean requireVsMpRepositoryPrimarySignatureOrCountersignature, Boolean verbose)
   at Microsoft.VisualStudio.Extensions.Signing.CLI.Program.MainAsync(String[])
   at Microsoft.VisualStudio.Extensions.Signing.CLI.Program.Main(String[])

liushuyu avatar Jun 01 '25 15:06 liushuyu

Does the Arch linux build use the node-ovsx-sign package for verifying Open VSX signatures?

amvanbaren avatar Jun 01 '25 18:06 amvanbaren

Does the Arch linux build use the node-ovsx-sign package for verifying Open VSX signatures?

I don't think so: https://gitlab.archlinux.org/archlinux/packaging/packages/code/-/blob/main/PKGBUILD?ref_type=heads#L74. Maybe they should make the switch.

liushuyu avatar Jun 02 '25 02:06 liushuyu

@liushuyu Yes or use VSCodium: https://github.com/VSCodium/vscodium?tab=readme-ov-file#install-on-arch-linux

amvanbaren avatar Jun 02 '25 08:06 amvanbaren

Arch Linux added a patch to use node-ovsx-sign after your feedback and things are working again. Thank you for your help @amvanbaren!

sandr01d avatar Jul 12 '25 00:07 sandr01d