Skip to content

Fix VSIX signing and add "Verify VSIX Signing" step #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 2, 2025
Merged

Fix VSIX signing and add "Verify VSIX Signing" step #91

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0392280
Fixed VSIX signing pattern matching for .p7s files
vcolin7 Aug 29, 2025
692e64d
Added a Verify VSIX Signing step
vcolin7 Aug 29, 2025
36b26cd
Changed file extension to verify signature of
vcolin7 Aug 29, 2025
576ad7a
Moved VSIX verification to the VSIX .yml file
vcolin7 Aug 29, 2025
6089bee
Fixed VSIX verification
vcolin7 Aug 30, 2025
2fa41d7
Add 'fname' to cspell configuration
g2vinay Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions eng/pipelines/templates/common.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,40 @@ extends:
}
displayName: "Verify Binary Signing"

- job: Verify_VSIX_Signing
displayName: "Verify VSIX Signing"
dependsOn: SignAndPackVSIX
pool:
name: $(WINDOWSPOOL) # Signing verification must happen on windows
image: $(WINDOWSVMIMAGE)
os: windows
variables:
- template: /eng/pipelines/templates/variables/image.yml
- template: /eng/pipelines/templates/variables/globals.yml
steps:
- checkout: none
- download: current
artifact: vsix_$(PipelineArtifactName)_signed
displayName: "Download signed MCP server VSIX files"
- pwsh: |
Write-Host "Verifying signing for win-x64 and win-arm64 VSIX files..."
$allSigned = $true
$signedVsixFiles = Get-ChildItem -Path '$(Pipeline.Workspace)/vsix_$(PipelineArtifactName)_signed/**/win-*' -Recurse -Include "*.signature.p7s"
foreach ($vsix in $signedVsixFiles) {
if ((Get-AuthenticodeSignature -FilePath $vsix.FullName).Status -ne 'Valid') {
Write-Host "VSIX file $($vsix.FullName) is NOT signed correctly."
$allSigned = $false
}
else {
Write-Host "VSIX file $($vsix.FullName) is signed correctly."
}
}
if (-not $allSigned) {
Write-Error "One or more VSIX files are not signed correctly."
exit 1
}
displayName: "Verify VSIX Signing"

- ${{ if eq(parameters.ReleaseRun, 'true') }}:
- stage: Release
dependsOn:
Expand Down
4 changes: 2 additions & 2 deletions eng/pipelines/templates/jobs/sign-and-pack-vsix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ parameters:
type: string

jobs:
- job:
- job: SignAndPackVSIX
displayName: "Sign and Pack VSIX"
dependsOn: ${{ parameters.DependsOn }}
condition: and(succeeded(), ne(variables['NoPackagesChanged'], 'true'))
Expand Down Expand Up @@ -35,7 +35,7 @@ jobs:
- template: pipelines/steps/azd-vscode-signing.yml@azure-sdk-build-tools
parameters:
Path: $(Build.ArtifactStagingDirectory)
Pattern: '*.signature.p7s'
Pattern: '**/*.signature.p7s'

- template: /eng/common/pipelines/templates/steps/publish-1es-artifact.yml
parameters:
Expand Down
Loading