verify-signature fails with a Unhandled CryptographicException

Question

verify-signature fails with a Unhandled CryptographicException

sean-mcmanus opened this issue 3 months ago · 6 comments

With @vscode/vsce 3.1.0:
yarn run vsce verify-signature --packagePath "pathTo.vsix" --manifestPath "pathTo.manifest" --signaturePath "pathTo.signature.p7s"
Signature verification result: UnhandledException
Package file size: 90947546
Signature archive file size: 74726
Manifest file size: 126964
Signature file size: 126964
Manifest file hash: 7qOG8M/r5DQf/t+sJ6pILo36OmtTlo4sjbbtN7kBOIw=
Signature file hash: 7qOG8M/r5DQf/t+sJ6pILo36OmtTlo4sjbbtN7kBOIw=
Package file hash: MjtdV6mYfwXJSZcF2g1P6JnFS/+pOtiPw4XizqFDvO0=
System.Security.Cryptography.CryptographicException: Cryptography_Der_Invalid_Encoding
---> System.Formats.Asn1.AsnContentException: ContentException_WrongTag, Application, 27, Universal, 16
at System.Formats.Asn1.AsnDecoder.CheckExpectedTag(Asn1Tag, Asn1Tag, UniversalTagNumber) + 0x14a
at System.Formats.Asn1.AsnDecoder.ReadSequence(ReadOnlySpan1, AsnEncodingRules, Int32&, Int32&, Int32&, Nullable1) + 0xb8
at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable1) + 0x49 at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.DecodeCore(AsnValueReader&, Asn1Tag, ReadOnlyMemory1, ContentInfoAsn&) + 0x8e
at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader&, Asn1Tag, ReadOnlyMemory1, ContentInfoAsn&) + 0x19 Exception_EndOfInnerExceptionStack at System.Security.Cryptography.Asn1.Pkcs7.ContentInfoAsn.Decode(AsnValueReader&, Asn1Tag, ReadOnlyMemory1, ContentInfoAsn&) + 0x56
at System.Security.Cryptography.Pkcs.SignedCms.g__CopyContent|26_0(ReadOnlySpan1) + 0x99 at System.Security.Cryptography.Pkcs.SignedCms.Decode(ReadOnlySpan1) + 0x33
at System.Security.Cryptography.Pkcs.SignedCms.Decode(Byte[]) + 0x2b
at Microsoft.VisualStudio.Extensions.Signing.SignedData.d__7.MoveNext() + 0x1eb
--- End of stack trace from previous location ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() + 0x20
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0xb2
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task, ConfigureAwaitOptions) + 0x4b
at Microsoft.VisualStudio.Extensions.Signing.ExtensionPackage.d__5.MoveNext() + 0x122
--- End of stack trace from previous location ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() + 0x20
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0xb2
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task, ConfigureAwaitOptions) + 0x4b
at Microsoft.VisualStudio.Extensions.Signing.CLI.Program.d__14.MoveNext() + 0xc6b
--- End of stack trace from previous location ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() + 0x20
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0xb2
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task, ConfigureAwaitOptions) + 0x4b
at Microsoft.VisualStudio.Extensions.Signing.CLI.Program.d__10.MoveNext() + 0xef5
--- End of stack trace from previous location ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() + 0x20
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0xb2
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task, ConfigureAwaitOptions) + 0x4b
at Microsoft.VisualStudio.Extensions.Signing.CLI.Program.

d__9.MoveNext() + 0xbb
Exit code: UnhandledException

I could send you the repro vsix/manifest/signature.p7s files if you want.

My repro is with test signing. I'll try again after we get real signing enabled.

Answer 1 · 2024-09-27T09:07:34.000Z

My repro is with test signing

Can you please give more details about this test signing? How are you signing it and what certificates are being used?

Answer 2 · 2024-09-27T17:28:27.000Z

The problem is shown in your verification output:

Manifest file hash: 7qOG8M/r5DQf/t+sJ6pILo36OmtTlo4sjbbtN7kBOIw=
Signature file hash: 7qOG8M/r5DQf/t+sJ6pILo36OmtTlo4sjbbtN7kBOIw=

The manifest and signature files are identical. The manifest file should be a JSON file. The signature file should be a signed CMS blob.

Answer 3 · 2024-09-27T17:52:42.000Z

@sandy081 We use msbuild to sign with msbuildArguments: /p:SignType=test or msbuildArguments: /p:SignType=real. I was using test sign for testing because we didn't have approval for real signing yet. I was able to sign our .js files with test signing, but now that I look at the vsix docs, there is a reference to real signing that implies that test signing isn't supported for vsix signing. We're signing with <Authenticode>VSCodePublisher</Authenticode>.

So this seems "by design", although the error message is confusing.

Answer 4 · 2024-09-27T17:54:56.000Z

@sandy081 However, the output of the signing says it succeeded so that is really misleading, but maybe that's an msbuild signing bug/issue.

Answer 5 · 2024-09-27T19:45:33.000Z

@sandy081 Also, FYI, when I ran it with "real" signed it worked and the signature was verified (the file size of the signature is different from the manifest).

Answer 6 · 2024-09-30T09:53:40.000Z

I am not sure if I understand about the test signing you were doing.

If you still have issues, feel free to ping me over teams so that we can talk directly.