Verify signatures of real signed vsixs

Author: JoeRobich

.vscode/dneng-schema.json renamed to .vscode/dnceng-schema.json

@@ -134,9 +134,9 @@ stages:
         versionSpec: 3.11
 
     # Non-windows signing requires .NET 8 installed on the machine.
-    - task: UseDotNet@2  
-      displayName: Use .NET Core sdk 8.0.x  
-      inputs:  
+    - task: UseDotNet@2
+      displayName: Use .NET Core sdk 8.0.x
+      inputs:
         version: 8.0.x
 
     # If we're in an official build, install the signing plugin
@@ -176,6 +176,12 @@ stages:
           SignType: $(signType)
           SYSTEM_ACCESSTOKEN: $(System.AccessToken)
 
+    - ${{ if eq(parameters.isOfficial, true) }}:
+      - script: gulp verifyVsix
+        condition: and( succeeded(), eq('$(SignType)', 'Real'))
+        displayName: 🔑 Verify VSIX Signature Files
+        workingDirectory: '$(Build.SourcesDirectory)/vsix'
+
     - task: CopyFiles@2
       inputs:
         SourceFolder: '$(Build.SourcesDirectory)/vsix'

azure-pipelines/build-vsix.yml

@@ -8,6 +8,7 @@ import * as fs from 'fs';
 import * as gulp from 'gulp';
 import { rootPath } from './projectPaths';
 import path from 'path';
+import { verifySignature } from './vsceTasks';
 // There are no typings for this library.
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 //const argv = require('yargs').argv;
@@ -20,6 +21,10 @@ gulp.task('signVsix', async () => {
     await signVsix();
 });
 
+gulp.task('verifyVsix', async () => {
+    await verifyVsix();
+});
+
 // Development task to install the signing plugin locally.
 // Required to run test sigining tasks locally.
 gulp.task('installSignPlugin', async () => {
@@ -43,7 +48,7 @@ async function signJs(): Promise<void> {
     const logPath = getLogPath();
     const signType = process.env.SignType;
     if (!signType) {
-        console.warn('SignType environment variable is not set, skipping JS signing');
+        console.warn('SignType environment variable is not set, skipping JS signing.');
         return;
     }
 
@@ -64,7 +69,7 @@ async function signVsix(): Promise<void> {
     const logPath = getLogPath();
     const signType = process.env.SignType;
     if (!signType) {
-        console.warn('SignType environment variable is not set, skipping VSIX signing');
+        console.warn('SignType environment variable is not set, skipping VSIX signing.');
         return;
     }
 
@@ -80,6 +85,25 @@ async function signVsix(): Promise<void> {
     ]);
 }
 
+async function verifyVsix(): Promise<void> {
+    const signType = process.env.SignType;
+    if (!signType) {
+        console.warn('SignType environment variable is not set, skipping VSIX verification.');
+        return;
+    }
+
+    if (signType === 'test') {
+        console.log('Test signing verification is not supported. Skipping VSIX verification.');
+        return;
+    }
+
+    const vsixs = fs.readdirSync('.').filter((file) => path.extname(file) === '.vsix');
+    for (const vsixFile in vsixs) {
+        console.log(`Verifying signature of ${vsixFile}`);
+        await verifySignature(vsixFile);
+    }
+}
+
 function getLogPath(): string {
     const logPath = path.join(rootPath, 'out', 'logs');
     if (!fs.existsSync(logPath)) {

tasks/signingTasks.ts

@@ -27,5 +27,29 @@ export default async function spawnNode(args?: string[], options?: SpawnSyncOpti
 
     const buffer = spawnSync(nodePath, args, optionsWithFullEnvironment);
 
-    return { code: buffer.status, signal: buffer.signal };
+    return { code: buffer.status, signal: buffer.signal, stdout: buffer.stdout };
+}
+
+export async function spawnNodeWithOutput(args?: string[], options?: SpawnSyncOptions) {
+    if (!options) {
+        options = {
+            env: {},
+        };
+    }
+
+    const optionsWithFullEnvironment: SpawnSyncOptions = {
+        cwd: rootPath,
+        ...options,
+        env: {
+            ...process.env,
+            ...options.env,
+        },
+        stdio: 'pipe',
+    };
+
+    console.log(`starting ${nodePath} ${args ? args.join(' ') : ''}`);
+
+    const buffer = spawnSync(nodePath, args, optionsWithFullEnvironment);
+
+    return { code: buffer.status, signal: buffer.signal, stdout: buffer.stdout };
 }

tasks/spawnNode.ts

@@ -6,7 +6,7 @@
 import * as path from 'path';
 import * as util from '../src/common';
 import * as fs from 'fs';
-import spawnNode from '../tasks/spawnNode';
+import spawnNode, { spawnNodeWithOutput } from '../tasks/spawnNode';
 import { vscePath } from './projectPaths';
 
 /// Packaging (VSIX) Tasks
@@ -82,3 +82,35 @@ export async function generateVsixManifest(vsixPath: string) {
         throw new Error(`'${vsceArgs.join(' ')}' failed with code ${spawnResult.code}.`);
     }
 }
+
+export async function verifySignature(vsixPath: string) {
+    const vsceArgs = [];
+    if (!(await util.fileExists(vscePath))) {
+        throw new Error(`vsce does not exist at expected location: '${vscePath}'`);
+    }
+
+    vsceArgs.push(vscePath);
+    vsceArgs.push('verify-signature');
+    vsceArgs.push('--packagePath');
+    vsceArgs.push(vsixPath);
+
+    const parsed = path.parse(vsixPath);
+    const outputFolder = parsed.dir;
+    const vsixNameWithoutExtension = parsed.name;
+
+    vsceArgs.push('--manifestPath');
+    vsceArgs.push(path.join(outputFolder, `${vsixNameWithoutExtension}.manifest`));
+
+    vsceArgs.push('--signaturePath');
+    vsceArgs.push(path.join(outputFolder, `${vsixNameWithoutExtension}.signature.p7s`));
+
+    const spawnResult = await spawnNodeWithOutput(vsceArgs);
+    if (spawnResult.code != 0) {
+        throw new Error(`'${vsceArgs.join(' ')}' failed with code ${spawnResult.code}.`);
+    } else if (spawnResult.stdout != 'Signature verification result: Success') {
+        console.log(spawnResult.stdout);
+        throw new Error(`Signature verification failed - '${vsceArgs.join(' ')}'.`);
+    }
+
+    console.log(`Signature verification succeeded for ${vsixPath}`);
+}