An open-source implementation of VsixSignTool.
Switch branches/tags
Clone or download
Latest commit 5857ee3 Dec 1, 2018


Build Status

OpenOpcSignTool ("OOST") is an open-source implemention of VsixSignTool to digitally sign VSIX packages on any platform, with additional "OPC" package signing options to come.

It offers a number of benefits, such as easily using certificates from hardware tokens, HSMs, Azure Key Vault, etc by allowing any certificate from the Certificate Store to be used instead of a PFX.


Using .NET Core 2.1 or later:

dotnet tool install -g OpenVsixSignTool

Alternatively, it can be built by itself


Using OOST is fairly simple. An example:

OpenVsixSignTool sign --sha1 7213125958254779abbaa5033a12fecdf2c7cdc8 --timestamp -ta sha256 -fd sha256 myvsix.vsix

This signs the VSIX using a certificate in the certificate store using the SHA1 thumbprint, and uses a SHA256 file digest and SHA256 timestamp digest algorithm.

For more information about usage, use OpenVsixSignTool sign --help for more information.

Core Library

This repository is broken out into two projects.

Core Signing Library

The core library performs the signing functionality and offers a .NET API for programmatically signing a VSIX file. A sample for signing and timestamping with an X509Certificate2 would look like this:

X509Certificate2 certificate = default; // Use a real instance of an X509Certificate2 with a private key
var configuration = new SignConfigurationSet(
using (var package = OpcPackage.Open(@"C:\path\to\file.vsix", OpcPackageFileMode.ReadWrite))
	var builder = package.CreateSignatureBuilder();
	var signature = builder.Sign(configuration);
	// Apply a timestamp
	var timestampBuilder = signature.CreateTimestampBuilder();
	var result = await timestampBuilder.SignAsync(new Uri(""), HashAlgorithmName.SHA256);
	if (result != TimestampResult.Success)
		throw new InvalidOperationException("Failed to timestamp the signature.");

You can also use Azure Key Vault to sign a VSIX when using the RSAKeyVault NuGet package. Since the SignConfigurationSet accepts a private key that is distinct from the certificate, the private key can be any implementation of RSA or ECDsa that are properly implemented.

CLI Tool

The command line tool uses the core library to offer CLI usage of the core library. It uses RSAKeyVault to achieve signing with AzureKeyVault.

Known Issues

See the list of bugs in GitHub for known bugs.