Merge pull request #986 from microsoft/sandy081/sign

enable signing in vsce using script
microsoft · Jun 3, 2024 · f8acdd9 · f8acdd9
2 parents fd9a262 + ac401b7
commit f8acdd9
Show file tree

Hide file tree

Showing 5 changed files with 241 additions and 4 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -39,6 +39,7 @@
 	},
 	"dependencies": {
 		"@azure/identity": "^4.1.0",
+		"@vscode/vsce-sign": "^2.0.0",
 		"azure-devops-node-api": "^12.5.0",
 		"chalk": "^2.4.2",
 		"cheerio": "^1.0.0-rc.9",

diff --git a/src/main.ts b/src/main.ts
@@ -117,6 +117,7 @@ module.exports = function (argv: string[]): void {
 		.option('--allow-star-activation', 'Allow using * in activation events')
 		.option('--allow-missing-repository', 'Allow missing a repository URL in package.json')
 		.option('--skip-license', 'Allow packaging without license file')
+		.option('--sign-tool', 'Path to the VSIX signing tool. Will be invoked with two arguments: `SIGNTOOL <path/to/extension.signature.manifest> <path/to/extension.signature.p7s>`.')
 		.action(
 			(
 				version,
@@ -143,6 +144,7 @@ module.exports = function (argv: string[]): void {
 					allowStarActivation,
 					allowMissingRepository,
 					skipLicense,
+					signTool,
 				}
 			) =>
 				main(
@@ -170,6 +172,7 @@ module.exports = function (argv: string[]): void {
 						allowStarActivation,
 						allowMissingRepository,
 						skipLicense,
+						signTool,
 					})
 				)
 		);
@@ -195,6 +198,7 @@ module.exports = function (argv: string[]): void {
 		.option('--no-update-package-json', 'Do not update `package.json`. Valid only when [version] is provided.')
 		.option('-i, --packagePath <paths...>', 'Publish the provided VSIX packages.')
 		.option('--sigzipPath <paths...>', 'Signature archives to publish alongside the VSIX packages.')
+		.option('--sign-tool', 'Path to the VSIX signing tool. Will be invoked with two arguments: `SIGNTOOL <path/to/extension.signature.manifest> <path/to/extension.signature.p7s>`. This will be ignored if --sigzipPath is provided.')
 		.option(
 			'--githubBranch <branch>',
 			'The GitHub branch used to infer relative links in README.md. Can be overridden by --baseContentUrl and --baseImagesUrl.'
@@ -249,6 +253,7 @@ module.exports = function (argv: string[]): void {
 					allowMissingRepository,
 					skipDuplicate,
 					skipLicense,
+					signTool,
 				}
 			) =>
 				main(
@@ -280,6 +285,7 @@ module.exports = function (argv: string[]): void {
 						allowMissingRepository,
 						skipDuplicate,
 						skipLicense,
+						signTool
 					})
 				)
 		);

diff --git a/src/package.ts b/src/package.ts
@@ -24,6 +24,7 @@ import { detectYarn, getDependencies } from './npm';
 import * as GitHost from 'hosted-git-info';
 import parseSemver from 'parse-semver';
 import * as jsonc from 'jsonc-parser';
+import { generateManifest, zip } from '@vscode/vsce-sign';
 
 const MinimatchOptions: minimatch.IOptions = { dot: true };
 
@@ -151,6 +152,8 @@ export interface IPackageOptions {
 	readonly allowStarActivation?: boolean;
 	readonly allowMissingRepository?: boolean;
 	readonly skipLicense?: boolean;
+
+	readonly signTool?: string;
 }
 
 export interface IProcessor {
@@ -1840,6 +1843,23 @@ export async function pack(options: IPackageOptions = {}): Promise<IPackageResul
 	return { manifest, packagePath, files };
 }
 
+export async function signPackage(packageFile: string, signScript: string): Promise<string> {
+	const packageFolder = path.dirname(packageFile);
+	const packageName = path.basename(packageFile, '.vsix');
+	const manifestFile = path.join(packageFolder, `${packageName}.signature.manifest`);
+	const signatureFile = path.join(packageFolder, `${packageName}.signature.p7s`);
+	const signatureZip = path.join(packageFolder, `${packageName}.signature.zip`);
+
+	// Generate the signature manifest file
+	await generateManifest(packageFile, manifestFile);
+
+	// Sign the manifest file to generate the signature file
+	cp.spawnSync(signScript, [manifestFile,  signatureFile], { stdio: 'inherit' });
+
+	// Create a signature zip file containing the manifest and signature file
+	return zip(manifestFile, signatureFile, signatureZip);
+}
+
 export async function packageCommand(options: IPackageOptions = {}): Promise<any> {
 	const cwd = options.cwd || process.cwd();
 	const manifest = await readManifest(cwd);
@@ -1849,6 +1869,11 @@ export async function packageCommand(options: IPackageOptions = {}): Promise<any
 	await versionBump(options);
 
 	const { packagePath, files } = await pack(options);
+
+	if (options.signTool) {
+		await signPackage(packagePath, options.signTool);
+	}
+
 	const stats = await fs.promises.stat(packagePath);
 
 	let size = 0;

diff --git a/src/publish.ts b/src/publish.ts
@@ -2,7 +2,7 @@ import * as fs from 'fs';
 import { promisify } from 'util';
 import * as semver from 'semver';
 import { ExtensionQueryFlags, PublishedExtension } from 'azure-devops-node-api/interfaces/GalleryInterfaces';
-import { pack, readManifest, versionBump, prepublish } from './package';
+import { pack, readManifest, versionBump, prepublish, signPackage } from './package';
 import * as tmp from 'tmp';
 import { IVerifyPatOptions, getPublisher } from './store';
 import { getGalleryAPI, read, getPublishedUrl, log, getHubUrl, patchOptionsWithManifest, getAzureCredentialAccessToken } from './util';
@@ -76,6 +76,7 @@ export interface IPublishOptions {
 	readonly skipLicense?: boolean;
 
 	readonly sigzipPath?: string[];
+	readonly signTool?: string;
 }
 
 export async function publish(options: IPublishOptions = {}): Promise<any> {
@@ -117,7 +118,13 @@ export async function publish(options: IPublishOptions = {}): Promise<any> {
 
 			validateMarketplaceRequirements(vsix.manifest, options);
 
-			await _publish(packagePath, options.sigzipPath?.[index], vsix.manifest, { ...options, target });
+			let sigzipPath = options.sigzipPath?.[index];
+			if (!sigzipPath && options.signTool) {
+				sigzipPath = await signPackage(packagePath, options.signTool);
+			}
+
+
+			await _publish(packagePath, sigzipPath, vsix.manifest, { ...options, target });
 		}
 	} else {
 		const cwd = options.cwd || process.cwd();
@@ -134,12 +141,14 @@ export async function publish(options: IPublishOptions = {}): Promise<any> {
 			for (const target of options.targets) {
 				const packagePath = await tmpName();
 				const packageResult = await pack({ ...options, target, packagePath });
-				await _publish(packagePath, undefined, packageResult.manifest, { ...options, target });
+				const sigzipPath = options.signTool ? await signPackage(packagePath, options.signTool) : undefined;
+				await _publish(packagePath, sigzipPath, packageResult.manifest, { ...options, target });
 			}
 		} else {
 			const packagePath = await tmpName();
 			const packageResult = await pack({ ...options, packagePath });
-			await _publish(packagePath, undefined, packageResult.manifest, options);
+			const sigzipPath = options.signTool ? await signPackage(packagePath, options.signTool) : undefined;
+			await _publish(packagePath, sigzipPath, packageResult.manifest, options);
 		}
 	}
 }