Verify signatures of real signed vsixs (#8556)

Author: JoeRobich

.vscode/dneng-schema.json renamed to .vscode/dnceng-schema.json

@@ -114,9 +114,11 @@ stages:
           - output: pipelineArtifact
             path: $(Build.SourcesDirectory)/Packages
             artifact: Packages
+            condition: always()
           - output: pipelineArtifact
             path: $(Build.SourcesDirectory)/out/logs
             artifact: SigningLogs
+            condition: always()
     steps:
     - checkout: self
       clean: true
@@ -134,9 +136,9 @@ stages:
         versionSpec: 3.11
 
     # Non-windows signing requires .NET 8 installed on the machine.
-    - task: UseDotNet@2  
-      displayName: Use .NET Core sdk 8.0.x  
-      inputs:  
+    - task: UseDotNet@2
+      displayName: Use .NET Core sdk 8.0.x
+      inputs:
         version: 8.0.x
 
     # If we're in an official build, install the signing plugin
@@ -181,6 +183,12 @@ stages:
         SourceFolder: '$(Build.SourcesDirectory)/vsix'
         TargetFolder: '$(Build.SourcesDirectory)/Packages/VSIX_$(channel)'
 
+    - ${{ if eq(parameters.isOfficial, true) }}:
+      - script: gulp verifyVsix
+        condition: and( succeeded(), eq('$(SignType)', 'Real'))
+        displayName: 🔑 Verify VSIX Signature Files
+        workingDirectory: '$(Build.SourcesDirectory)/Packages/VSIX_$(channel)'
+
     - ${{ if ne(parameters.isOfficial, true) }}:
       - task: PublishPipelineArtifact@1
         condition: succeeded()

azure-pipelines/build-vsix.yml

@@ -8,6 +8,7 @@ import * as fs from 'fs';
 import * as gulp from 'gulp';
 import { rootPath } from './projectPaths';
 import path from 'path';
+import { verifySignature } from './vsceTasks';
 // There are no typings for this library.
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 //const argv = require('yargs').argv;
@@ -20,6 +21,10 @@ gulp.task('signVsix', async () => {
     await signVsix();
 });
 
+gulp.task('verifyVsix', async () => {
+    await verifyVsix();
+});
+
 // Development task to install the signing plugin locally.
 // Required to run test sigining tasks locally.
 gulp.task('installSignPlugin', async () => {
@@ -43,7 +48,7 @@ async function signJs(): Promise<void> {
     const logPath = getLogPath();
     const signType = process.env.SignType;
     if (!signType) {
-        console.warn('SignType environment variable is not set, skipping JS signing');
+        console.warn('SignType environment variable is not set, skipping JS signing.');
         return;
     }
 
@@ -64,7 +69,7 @@ async function signVsix(): Promise<void> {
     const logPath = getLogPath();
     const signType = process.env.SignType;
     if (!signType) {
-        console.warn('SignType environment variable is not set, skipping VSIX signing');
+        console.warn('SignType environment variable is not set, skipping VSIX signing.');
         return;
     }
 
@@ -80,6 +85,25 @@ async function signVsix(): Promise<void> {
     ]);
 }
 
+async function verifyVsix(): Promise<void> {
+    const signType = process.env.SignType;
+    if (!signType) {
+        console.warn('SignType environment variable is not set, skipping VSIX verification.');
+        return;
+    }
+
+    if (signType.toLowerCase() !== 'real') {
+        console.log('Signing verification is only supported for real signing. Skipping VSIX verification.');
+        return;
+    }
+
+    const vsixs = fs.readdirSync('.').filter((file) => path.extname(file) === '.vsix');
+    for (const vsixFile in vsixs) {
+        console.log(`Verifying signature of ${vsixFile}`);
+        await verifySignature(vsixFile);
+    }
+}
+
 function getLogPath(): string {
     const logPath = path.join(rootPath, 'out', 'logs');
     if (!fs.existsSync(logPath)) {

tasks/signingTasks.ts

@@ -10,6 +10,7 @@ export default async function spawnNode(args?: string[], options?: SpawnSyncOpti
     if (!options) {
         options = {
             env: {},
+            stdio: 'inherit',
         };
     }
 
@@ -20,12 +21,12 @@ export default async function spawnNode(args?: string[], options?: SpawnSyncOpti
             ...process.env,
             ...options.env,
         },
-        stdio: 'inherit',
+        stdio: options.stdio ?? 'inherit',
     };
 
     console.log(`starting ${nodePath} ${args ? args.join(' ') : ''}`);
 
     const buffer = spawnSync(nodePath, args, optionsWithFullEnvironment);
 
-    return { code: buffer.status, signal: buffer.signal };
+    return { code: buffer.status, signal: buffer.signal, stdout: buffer.stdout };
 }

tasks/spawnNode.ts

@@ -82,3 +82,38 @@ export async function generateVsixManifest(vsixPath: string) {
         throw new Error(`'${vsceArgs.join(' ')}' failed with code ${spawnResult.code}.`);
     }
 }
+
+export async function verifySignature(vsixPath: string) {
+    const vsceArgs = [];
+    if (!(await util.fileExists(vscePath))) {
+        throw new Error(`vsce does not exist at expected location: '${vscePath}'`);
+    }
+
+    vsceArgs.push(vscePath);
+    vsceArgs.push('verify-signature');
+    vsceArgs.push('--packagePath');
+    vsceArgs.push(vsixPath);
+
+    const parsed = path.parse(vsixPath);
+    const outputFolder = parsed.dir;
+    const vsixNameWithoutExtension = parsed.name;
+
+    vsceArgs.push('--manifestPath');
+    vsceArgs.push(path.join(outputFolder, `${vsixNameWithoutExtension}.manifest`));
+
+    vsceArgs.push('--signaturePath');
+    vsceArgs.push(path.join(outputFolder, `${vsixNameWithoutExtension}.signature.p7s`));
+
+    const spawnResult = await spawnNode(vsceArgs, { stdio: 'pipe' });
+    if (spawnResult.code != 0) {
+        throw new Error(`'${vsceArgs.join(' ')}' failed with code ${spawnResult.code}.`);
+    } else if (spawnResult.stdout != 'Signature verification result: Success') {
+        // This is a brittle check but the command does not return a non-zero exit code for failed validation.
+        // Opened https://github.com/microsoft/vscode-vsce/issues/1192 to track this.
+
+        console.log(spawnResult.stdout);
+        throw new Error(`Signature verification failed - '${vsceArgs.join(' ')}'.`);
+    }
+
+    console.log(`Signature verification succeeded for ${vsixPath}`);
+}