Add extension signature verification service

Author: dtivel

src/vs/code/electron-browser/sharedProcess/sharedProcessMain.ts

@@ -32,6 +32,7 @@ import { SharedProcessEnvironmentService } from 'vs/platform/sharedProcess/node/
 import { GlobalExtensionEnablementService } from 'vs/platform/extensionManagement/common/extensionEnablementService';
 import { ExtensionGalleryService } from 'vs/platform/extensionManagement/common/extensionGalleryService';
 import { IExtensionGalleryService, IExtensionManagementService, IExtensionTipsService, IGlobalExtensionEnablementService } from 'vs/platform/extensionManagement/common/extensionManagement';
+import { ExtensionSignatureVerificationService, IExtensionSignatureVerificationService } from 'vs/platform/extensionManagement/node/extensionSignatureVerificationService';
 import { ExtensionManagementChannel, ExtensionTipsChannel } from 'vs/platform/extensionManagement/common/extensionManagementIpc';
 import { ExtensionTipsService } from 'vs/platform/extensionManagement/electron-sandbox/extensionTipsService';
 import { ExtensionManagementService, INativeServerExtensionManagementService } from 'vs/platform/extensionManagement/node/extensionManagementService';
@@ -313,6 +314,7 @@ class SharedProcessMain extends Disposable {
 		// Extension Management
 		services.set(IExtensionsProfileScannerService, new SyncDescriptor(ExtensionsProfileScannerService, undefined, true));
 		services.set(IExtensionsScannerService, new SyncDescriptor(ExtensionsScannerService, undefined, true));
+		services.set(IExtensionSignatureVerificationService, new SyncDescriptor(ExtensionSignatureVerificationService));
 		services.set(INativeServerExtensionManagementService, new SyncDescriptor(ExtensionManagementService, undefined, true));
 
 		// Extension Gallery

src/vs/code/node/cliProcessMain.ts

@@ -24,6 +24,7 @@ import { INativeEnvironmentService } from 'vs/platform/environment/common/enviro
 import { NativeEnvironmentService } from 'vs/platform/environment/node/environmentService';
 import { ExtensionGalleryServiceWithNoStorageService } from 'vs/platform/extensionManagement/common/extensionGalleryService';
 import { IExtensionGalleryService, InstallOptions } from 'vs/platform/extensionManagement/common/extensionManagement';
+import { ExtensionSignatureVerificationService, IExtensionSignatureVerificationService } from 'vs/platform/extensionManagement/node/extensionSignatureVerificationService';
 import { ExtensionManagementCLI } from 'vs/platform/extensionManagement/common/extensionManagementCLI';
 import { ExtensionsProfileScannerService, IExtensionsProfileScannerService } from 'vs/platform/extensionManagement/common/extensionsProfileScannerService';
 import { IExtensionsScannerService } from 'vs/platform/extensionManagement/common/extensionsScannerService';
@@ -181,6 +182,7 @@ class CliMain extends Disposable {
 		// Extensions
 		services.set(IExtensionsProfileScannerService, new SyncDescriptor(ExtensionsProfileScannerService, undefined, true));
 		services.set(IExtensionsScannerService, new SyncDescriptor(ExtensionsScannerService, undefined, true));
+		services.set(IExtensionSignatureVerificationService, new SyncDescriptor(ExtensionSignatureVerificationService));
 		services.set(INativeServerExtensionManagementService, new SyncDescriptor(ExtensionManagementService, undefined, true));
 		services.set(IExtensionGalleryService, new SyncDescriptor(ExtensionGalleryServiceWithNoStorageService, undefined, true));
 

src/vs/platform/extensionManagement/common/abstractExtensionManagementService.ts

@@ -28,6 +28,7 @@ export interface IInstallExtensionTask {
 	readonly identifier: IExtensionIdentifier;
 	readonly source: IGalleryExtension | URI;
 	readonly operation: InstallOperation;
+	wasVerified?: boolean;
 	run(): Promise<{ local: ILocalExtension; metadata: Metadata }>;
 	waitUntilTaskIsFinished(): Promise<{ local: ILocalExtension; metadata: Metadata }>;
 	cancel(): void;
@@ -243,6 +244,7 @@ export abstract class AbstractExtensionManagementService extends Disposable impl
 							const durationSinceUpdate = isUpdate ? undefined : (new Date().getTime() - task.source.lastUpdated) / 1000;
 							reportTelemetry(this.telemetryService, isUpdate ? 'extensionGallery:update' : 'extensionGallery:install', {
 								extensionData: getGalleryExtensionTelemetryData(task.source),
+								wasVerified: task.wasVerified,
 								duration: new Date().getTime() - startTime,
 								durationSinceUpdate
 							});
@@ -256,7 +258,12 @@ export abstract class AbstractExtensionManagementService extends Disposable impl
 						installResults.push({ local, identifier: task.identifier, operation: task.operation, source: task.source, context: options.context, profileLocation: options.profileLocation, applicationScoped: local.isApplicationScoped });
 					} catch (error) {
 						if (!URI.isUri(task.source)) {
-							reportTelemetry(this.telemetryService, task.operation === InstallOperation.Update ? 'extensionGallery:update' : 'extensionGallery:install', { extensionData: getGalleryExtensionTelemetryData(task.source), duration: new Date().getTime() - startTime, error });
+							reportTelemetry(this.telemetryService, task.operation === InstallOperation.Update ? 'extensionGallery:update' : 'extensionGallery:install', {
+								extensionData: getGalleryExtensionTelemetryData(task.source),
+								wasVerified: task.wasVerified,
+								duration: new Date().getTime() - startTime,
+								error
+							});
 						}
 						this.logService.error('Error while installing the extension:', task.identifier.id);
 						throw error;
@@ -693,16 +700,32 @@ function toExtensionManagementError(error: Error): ExtensionManagementError {
 	return e;
 }
 
-export function reportTelemetry(telemetryService: ITelemetryService, eventName: string, { extensionData, duration, error, durationSinceUpdate }: { extensionData: any; duration?: number; durationSinceUpdate?: number; error?: Error }): void {
-	const errorcode = error ? error instanceof ExtensionManagementError ? error.code : ExtensionManagementErrorCode.Internal : undefined;
+export function reportTelemetry(telemetryService: ITelemetryService, eventName: string, { extensionData, wasVerified, duration, error, durationSinceUpdate }: { extensionData: any; wasVerified?: boolean; duration?: number; durationSinceUpdate?: number; error?: Error }): void {
+	let errorcode: ExtensionManagementErrorCode | undefined;
+	let errorcodeDetail: string | undefined;
+
+	if (error) {
+		if (error instanceof ExtensionManagementError) {
+			errorcode = error.code;
+
+			if (error.code === ExtensionManagementErrorCode.Signature) {
+				errorcodeDetail = error.message;
+			}
+		} else {
+			errorcode = ExtensionManagementErrorCode.Internal;
+		}
+	}
+
 	/* __GDPR__
 		"extensionGallery:install" : {
 			"owner": "sandy081",
 			"success": { "classification": "SystemMetaData", "purpose": "PerformanceAndHealth", "isMeasurement": true },
 			"duration" : { "classification": "SystemMetaData", "purpose": "PerformanceAndHealth", "isMeasurement": true },
 			"durationSinceUpdate" : { "classification": "SystemMetaData", "purpose": "FeatureInsight", "isMeasurement": true },
 			"errorcode": { "classification": "CallstackOrException", "purpose": "PerformanceAndHealth" },
+			"errorcodeDetail": { "classification": "CallstackOrException", "purpose": "PerformanceAndHealth" },
 			"recommendationReason": { "retiredFromVersion": "1.23.0", "classification": "SystemMetaData", "purpose": "FeatureInsight", "isMeasurement": true },
+			"wasVerified" : { "classification": "SystemMetaData", "purpose": "FeatureInsight" },
 			"${include}": [
 				"${GalleryExtensionTelemetryData}"
 			]
@@ -725,12 +748,14 @@ export function reportTelemetry(telemetryService: ITelemetryService, eventName:
 			"success": { "classification": "SystemMetaData", "purpose": "PerformanceAndHealth", "isMeasurement": true },
 			"duration" : { "classification": "SystemMetaData", "purpose": "PerformanceAndHealth", "isMeasurement": true },
 			"errorcode": { "classification": "CallstackOrException", "purpose": "PerformanceAndHealth" },
+			"errorcodeDetail": { "classification": "CallstackOrException", "purpose": "PerformanceAndHealth" },
+			"wasVerified" : { "classification": "SystemMetaData", "purpose": "FeatureInsight" },
 			"${include}": [
 				"${GalleryExtensionTelemetryData}"
 			]
 		}
 	*/
-	telemetryService.publicLog(eventName, { ...extensionData, success: !error, duration, errorcode, durationSinceUpdate });
+	telemetryService.publicLog(eventName, { ...extensionData, wasVerified, success: !error, duration, errorcode, errorcodeDetail, durationSinceUpdate });
 }
 
 export abstract class AbstractExtensionTask<T> {

src/vs/platform/extensionManagement/common/extensionGalleryService.ts

@@ -193,7 +193,8 @@ const AssetType = {
 	Manifest: 'Microsoft.VisualStudio.Code.Manifest',
 	VSIX: 'Microsoft.VisualStudio.Services.VSIXPackage',
 	License: 'Microsoft.VisualStudio.Services.Content.License',
-	Repository: 'Microsoft.VisualStudio.Services.Links.Source'
+	Repository: 'Microsoft.VisualStudio.Services.Links.Source',
+	Signature: 'Microsoft.VisualStudio.Services.VsixSignature'
 };
 
 const PropertyType = {
@@ -505,7 +506,8 @@ function toExtension(galleryExtension: IRawGalleryExtension, version: IRawGaller
 		repository: getRepositoryAsset(version),
 		download: getDownloadAsset(version),
 		icon: getVersionAsset(version, AssetType.Icon),
-		coreTranslations: getCoreTranslationAssets(version)
+		signature: getVersionAsset(version, AssetType.Signature),
+		coreTranslations: getCoreTranslationAssets(version),
 	};
 
 	return {
@@ -542,6 +544,7 @@ function toExtension(galleryExtension: IRawGalleryExtension, version: IRawGaller
 		hasPreReleaseVersion: isPreReleaseVersion(latestVersion),
 		hasReleaseVersion: true,
 		preview: getIsPreview(galleryExtension.flags),
+		isSigned: !!assets.signature
 	};
 }
 
@@ -1031,6 +1034,17 @@ abstract class AbstractExtensionGalleryService implements IExtensionGalleryServi
 		log(new Date().getTime() - startTime);
 	}
 
+	async downloadSignatureArchive(extension: IGalleryExtension, location: URI): Promise<void> {
+		if (!extension.assets.signature) {
+			return;
+		}
+
+		this.logService.trace('ExtensionGalleryService#downloadSignatureArchive', extension.identifier.id);
+
+		const context = await this.getAsset(extension.assets.signature);
+		await this.fileService.writeFile(location, context.stream);
+	}
+
 	async getReadme(extension: IGalleryExtension, token: CancellationToken): Promise<string> {
 		if (extension.assets.readme) {
 			const context = await this.getAsset(extension.assets.readme, {}, token);

src/vs/platform/extensionManagement/common/extensionManagement.ts

@@ -178,6 +178,7 @@ export interface IGalleryExtensionAssets {
 	repository: IGalleryExtensionAsset | null;
 	download: IGalleryExtensionAsset;
 	icon: IGalleryExtensionAsset | null;
+	signature: IGalleryExtensionAsset | null;
 	coreTranslations: [string, IGalleryExtensionAsset][];
 }
 
@@ -224,6 +225,7 @@ export interface IGalleryExtension {
 	preview: boolean;
 	hasPreReleaseVersion: boolean;
 	hasReleaseVersion: boolean;
+	isSigned: boolean;
 	allTargetPlatforms: TargetPlatform[];
 	assets: IGalleryExtensionAssets;
 	properties: IGalleryExtensionProperties;
@@ -335,6 +337,7 @@ export interface IExtensionGalleryService {
 	getCompatibleExtension(extension: IGalleryExtension, includePreRelease: boolean, targetPlatform: TargetPlatform): Promise<IGalleryExtension | null>;
 	getAllCompatibleVersions(extension: IGalleryExtension, includePreRelease: boolean, targetPlatform: TargetPlatform): Promise<IGalleryExtensionVersion[]>;
 	download(extension: IGalleryExtension, location: URI, operation: InstallOperation): Promise<void>;
+	downloadSignatureArchive(extension: IGalleryExtension, location: URI): Promise<void>;
 	reportStatistic(publisher: string, name: string, version: string, type: StatisticType): Promise<void>;
 	getReadme(extension: IGalleryExtension, token: CancellationToken): Promise<string>;
 	getManifest(extension: IGalleryExtension, token: CancellationToken): Promise<IExtensionManifest | null>;
@@ -390,6 +393,7 @@ export enum ExtensionManagementErrorCode {
 	CorruptZip = 'CorruptZip',
 	IncompleteZip = 'IncompleteZip',
 	Internal = 'Internal',
+	Signature = 'Signature'
 }
 
 export class ExtensionManagementError extends Error {

src/vs/platform/extensionManagement/common/extensionManagementUtil.ts

@@ -125,6 +125,7 @@ export function getLocalExtensionTelemetryData(extension: ILocalExtension): any
 		"publisherDisplayName": { "classification": "SystemMetaData", "purpose": "FeatureInsight" },
 		"isPreReleaseVersion": { "classification": "SystemMetaData", "purpose": "FeatureInsight" },
 		"dependencies": { "classification": "SystemMetaData", "purpose": "FeatureInsight", "isMeasurement": true },
+		"isSigned": { "classification": "SystemMetaData", "purpose": "FeatureInsight" },
 		"${include}": [
 			"${GalleryExtensionTelemetryData2}"
 		]
@@ -140,6 +141,7 @@ export function getGalleryExtensionTelemetryData(extension: IGalleryExtension):
 		publisherDisplayName: extension.publisherDisplayName,
 		isPreReleaseVersion: extension.properties.isPreReleaseVersion,
 		dependencies: !!(extension.properties.dependencies && extension.properties.dependencies.length > 0),
+		isSigned: extension.isSigned,
 		...extension.telemetryData
 	};
 }

src/vs/platform/extensionManagement/node/extensionDownloader.ts

@@ -5,7 +5,7 @@
 
 import { Promises } from 'vs/base/common/async';
 import { getErrorMessage } from 'vs/base/common/errors';
-import { Disposable } from 'vs/base/common/lifecycle';
+import { Disposable, IDisposable } from 'vs/base/common/lifecycle';
 import { isWindows } from 'vs/base/common/platform';
 import { joinPath } from 'vs/base/common/resources';
 import * as semver from 'vs/base/common/semver/semver';
@@ -18,12 +18,19 @@ import { ExtensionKey, groupByExtension } from 'vs/platform/extensionManagement/
 import { IFileService, IFileStatWithMetadata } from 'vs/platform/files/common/files';
 import { ILogService } from 'vs/platform/log/common/log';
 
-export class ExtensionsDownloader extends Disposable {
+export interface IExtensionsDownloader extends IDisposable {
+	delete(location: URI): Promise<void>;
+	downloadExtension(extension: IGalleryExtension, operation: InstallOperation): Promise<{ extensionLocation: URI; signatureArchiveLocation?: URI }>;
+}
+
+export class ExtensionsDownloader extends Disposable implements IExtensionsDownloader {
 
 	readonly extensionsDownloadDir: URI;
 	private readonly cache: number;
 	private readonly cleanUpPromise: Promise<void>;
 
+	private static readonly SignatureArchiveExtension = '.sigzip';
+
 	constructor(
 		@INativeEnvironmentService environmentService: INativeEnvironmentService,
 		@IFileService private readonly fileService: IFileService,
@@ -32,21 +39,33 @@ export class ExtensionsDownloader extends Disposable {
 	) {
 		super();
 		this.extensionsDownloadDir = URI.file(environmentService.extensionsDownloadPath);
-		this.cache = 20; // Cache 20 downloads
+		this.cache = 20; // Cache 20 downloaded VSIX files
 		this.cleanUpPromise = this.cleanUp();
 	}
 
-	async downloadExtension(extension: IGalleryExtension, operation: InstallOperation): Promise<URI> {
+	async downloadExtension(extension: IGalleryExtension, operation: InstallOperation): Promise<{ extensionLocation: URI; signatureArchiveLocation?: URI }> {
 		await this.cleanUpPromise;
 		const vsixName = this.getName(extension);
-		const location = joinPath(this.extensionsDownloadDir, vsixName);
+		const extensionLocation = joinPath(this.extensionsDownloadDir, vsixName);
+		let signatureArchiveLocation: URI | undefined;
+
+		await this.downloadFile(extensionLocation, extension, operation, 'vsix', this.extensionGalleryService.download);
+
+		if (extension.assets.signature) {
+			signatureArchiveLocation = ExtensionsDownloader.getSignatureArchiveLocation(extensionLocation);
+
+			await this.downloadFile(signatureArchiveLocation, extension, operation, 'signature archive', this.extensionGalleryService.downloadSignatureArchive);
+		}
 
-		// Download only if vsix does not exist
+		return { extensionLocation, signatureArchiveLocation };
+	}
+
+	private async downloadFile(location: URI, extension: IGalleryExtension, operation: InstallOperation, fileType: string, download: (extension: IGalleryExtension, location: URI, operation: InstallOperation) => Promise<void>) {
 		if (!await this.fileService.exists(location)) {
-			// Download to temporary location first only if vsix does not exist
+			// Download to temporary location first only if file does not exist
 			const tempLocation = joinPath(this.extensionsDownloadDir, `.${generateUuid()}`);
 			if (!await this.fileService.exists(tempLocation)) {
-				await this.extensionGalleryService.download(extension, tempLocation, operation);
+				await download(extension, tempLocation, operation);
 			}
 
 			try {
@@ -57,16 +76,13 @@ export class ExtensionsDownloader extends Disposable {
 					await this.fileService.del(tempLocation);
 				} catch (e) { /* ignore */ }
 				if (error.code === 'ENOTEMPTY') {
-					this.logService.info(`Rename failed because vsix was downloaded by another source. So ignoring renaming.`, extension.identifier.id);
+					this.logService.info(`Rename failed because ${fileType} was downloaded by another source. So ignoring renaming.`, extension.identifier.id);
 				} else {
-					this.logService.info(`Rename failed because of ${getErrorMessage(error)}. Deleted the vsix from downloaded location`, tempLocation.path);
+					this.logService.info(`Rename failed because of ${getErrorMessage(error)}. Deleted the ${fileType} from downloaded location`, tempLocation.path);
 					throw error;
 				}
 			}
-
 		}
-
-		return location;
 	}
 
 	async delete(location: URI): Promise<void> {
@@ -89,15 +105,25 @@ export class ExtensionsDownloader extends Disposable {
 	private async cleanUp(): Promise<void> {
 		try {
 			if (!(await this.fileService.exists(this.extensionsDownloadDir))) {
-				this.logService.trace('Extension VSIX downlads cache dir does not exist');
+				this.logService.trace('Extension VSIX downloads cache dir does not exist');
 				return;
 			}
 			const folderStat = await this.fileService.resolve(this.extensionsDownloadDir, { resolveMetadata: true });
 			if (folderStat.children) {
 				const toDelete: URI[] = [];
 				const all: [ExtensionKey, IFileStatWithMetadata][] = [];
+				const signatureArchives = new Set<string>();
+
 				for (const stat of folderStat.children) {
-					const extension = ExtensionKey.parse(stat.name);
+					const name = stat.name;
+
+					if (ExtensionsDownloader.isSignatureArchive(name)) {
+						const extensionPath = ExtensionsDownloader.getExtensionPath(name);
+						signatureArchives.add(extensionPath);
+						continue;
+					}
+
+					const extension = ExtensionKey.parse(name);
 					if (extension) {
 						all.push([extension, stat]);
 					}
@@ -111,16 +137,40 @@ export class ExtensionsDownloader extends Disposable {
 				}
 				distinct.sort((a, b) => a.mtime - b.mtime); // sort by modified time
 				toDelete.push(...distinct.slice(0, Math.max(0, distinct.length - this.cache)).map(s => s.resource)); // Retain minimum cacheSize and delete the rest
+
 				await Promises.settled(toDelete.map(resource => {
 					this.logService.trace('Deleting vsix from cache', resource.path);
-					return this.fileService.del(resource);
+
+					let promise = Promise.resolve();
+
+					if (signatureArchives.has(resource.fsPath)) {
+						const signatureArchiveLocation = ExtensionsDownloader.getSignatureArchiveLocation(resource);
+
+						promise = promise.then(() => this.fileService.del(signatureArchiveLocation));
+					}
+
+					promise = promise.then(() => this.fileService.del(resource));
+
+					return promise;
 				}));
 			}
 		} catch (e) {
 			this.logService.error(e);
 		}
 	}
 
+	private static getExtensionPath(signatureArchivePath: string): string {
+		return signatureArchivePath.substring(0, signatureArchivePath.length - ExtensionsDownloader.SignatureArchiveExtension.length);
+	}
+
+	private static getSignatureArchiveLocation(extensionLocation: URI): URI {
+		return URI.file(extensionLocation.fsPath + ExtensionsDownloader.SignatureArchiveExtension);
+	}
+
+	private static isSignatureArchive(name: string): boolean {
+		return name.endsWith(ExtensionsDownloader.SignatureArchiveExtension);
+	}
+
 	private getName(extension: IGalleryExtension): string {
 		return this.cache ? ExtensionKey.create(extension).toString().toLowerCase() : generateUuid();
 	}