This is a fork from https://github.com/vcsjones/OpenOpcSignTool ported to sign HLKX files using Azure Key Vault. The usage is the same of the OOST and it works for submission at Microsoft Partner Center.
OpenOpcSignTool ("OOST") is an open-source implemention of VsixSignTool to digitally sign VSIX packages on any platform, with additional "OPC" package signing options to come.
It offers a number of benefits, such as easily using certificates from hardware tokens, HSMs, Azure Key Vault, etc by allowing any certificate from the Certificate Store to be used instead of a PFX.
Using OOST is fairly simple. An example:
OpenVsixSignTool sign --sha1 7213125958254779abbaa5033a12fecdf2c7cdc8 --timestamp http://timestamp.digicert.com -ta sha256 -fd sha256 myvsix.vsixThis signs the VSIX using a certificate in the certificate store using the SHA1 thumbprint, and uses a SHA256 file digest and SHA256 timestamp digest algorithm.
For more information about usage, use OpenVsixSignTool sign --help for more information.
This repository is broken out into two projects.
The core library performs the signing functionality and offers a .NET API for programmatically signing a VSIX file. A sample for signing and timestamping
with an X509Certificate2 would look like this:
X509Certificate2 certificate = default; // Use a real instance of an X509Certificate2 with a private key
var configuration = new SignConfigurationSet(
HashAlgorithmName.SHA256,
HashAlgorithmName.SHA256,
certificate.GetRSAPrivateKey(),
certificate);
using (var package = OpcPackage.Open(@"C:\path\to\file.vsix", OpcPackageFileMode.ReadWrite))
{
var builder = package.CreateSignatureBuilder();
builder.EnqueueNamedPreset<VSIXSignatureBuilderPreset>();
var signature = builder.Sign(configuration);
// Apply a timestamp
var timestampBuilder = signature.CreateTimestampBuilder();
var result = await timestampBuilder.SignAsync(new Uri("http://timestamp.digicert.com"), HashAlgorithmName.SHA256);
if (result != TimestampResult.Success)
{
throw new InvalidOperationException("Failed to timestamp the signature.");
}
}
certificate.Dispose();You can also use Azure Key Vault to sign a VSIX when using the RSAKeyVault NuGet package. Since the SignConfigurationSet
accepts a private key that is distinct from the certificate, the private key can be any implementation of RSA or ECDsa
that are properly implemented.
The command line tool uses the core library to offer CLI usage of the core library. It uses RSAKeyVault to achieve signing
with AzureKeyVault.
See the list of bugs in GitHub for known bugs.