Extension Publisher Signing #137
Replies: 10 comments 22 replies
-
Yes,
Would you plan on not allowing unsigned extensions? This might improve the quality of extensions on the Marketplace if that were the case. Also, I assume I can use the same cert for many extensions in my business? My concern is how we obtain that certificate and where we store it. It needs to be simple to obtain and sign my extension during publish in a pipeline. |
Beta Was this translation helpful? Give feedback.
-
For context: I'm not too familiar with signing, the current state of the art for tools, or average cost for these things elsewhere.
Probably, yes. I would expect the demand to be there from extension users after a while.
I would probably expect it to be either a flag for
Absolutely a dealbreaker, unless there is a clear value provided to the one paying the bill. I could be persuaded if:
Good, and as long as there would be such a cost involved in signing it should stay that way. I build my extension in my spare time and provide it for free, so I already feel like I pay enough in that sense. I get that there's an infrastructure/platform cost involved from your perspective, but if the price of admission was 100$ I would stop publishing on Marketplace in a heartbeat.
I don't know if it's relevant, but I'm interested in SSH commit verification. (When I checked back in August, my Git version on macOS didn't support it yet.) SSH keys is something I'm familiar with, and it looks fairly simple to configure Git and GitHub to use SSH keys for signing. |
Beta Was this translation helpful? Give feedback.
-
I was introduced to Sigstore today for code signing via Trail of Bits. On first glance it seems like it could be relevant (and promising!). From "How do I use sigstore?":
|
Beta Was this translation helpful? Give feedback.
-
That would be great! As a user and contributer of Nixpkgs, I would be concerned whether the verifying API/key would be publicly available or not. In Nixpkgs, users can specify the set of extensions they would like to use in a domain-specific language called "Nix expression", and reproduce an identical environment on another computer. To ensure reproducibility, the build system downloads the extension, verify it with the given checksum (which is usually SHA256), unpack it, place the files under specific directory hirarchies (with some hashed directory names) and make it visible to the VSCode binary. If the signature-verification key/process is not publicly available (or even be viewed as a trading secret), I wonder if we could continue to enjoy the rich features of VSCode together with the reproducibility of Nix. Or, if the verification happens only during the download, the build could still work without the benefit introduced in this change. It would be another plus to have a way to fetch the checksum (SHA256 or SHA512) of the VSIX file without downloading the VSIX file itself. We would be able to automate the build process without manually fetching the hashes then. |
Beta Was this translation helpful? Give feedback.
-
Some reasons against it:
I would suggest that a better approach would be something like how SSH keys are commonly handled on platforms like GitHub etc: Allow you to specify which ones are valid via a web UI. The web UI should probably require re-authentication with 2FA when you try to change things and monitor for suspicious logins (unexpected country etc). There are other ways to secure it even more (while not incurring unreasonable costs for small developers/hobbyists): For example: require that any new key is signed with the previous key (and require that the developer sets up a "current" and a "backup" key from the beginning). |
Beta Was this translation helpful? Give feedback.
-
Is it possible that this update would break REMOTE extension installs if it is not using the application proxy setting? After this update, none of my extensions are installing with error messages like this:
I think it would be related to this issue: If this is the case, can we disable extension signature verification? Or could the remote session fallback to installing from the up-to-date extension residing on the host version of VScode? |
Beta Was this translation helpful? Give feedback.
-
Until publisher signing is available and Marketplace signs our extension. The extension is installed from Marketplace into VS Code. |
Beta Was this translation helpful? Give feedback.
-
Whilst understanding the importance of signing extensions for peace of mind for all of us, the cost of a developer signing certificate would be an absolute deal breaker as far as I was concerned. |
Beta Was this translation helpful? Give feedback.
-
Will this also be the same when it comes to themes (possible fee)? In theory they are not a traditional extension, and technically only json files. Having to pay a cost for that would definitely be a deal breaker for me as that is the only thing that I use vsce with to publish. I don't use it to generate any income so it would wind up costing me money just to share something I made available to others as more of a way to share in the same way that I share open source Plugins, Components, etc. on my GitHub/npm accounts. |
Beta Was this translation helpful? Give feedback.
-
This is a blanket statement. Any secure system design starts with exquisitely specific attack scenarios.
This depends on a multitude of factors. Blanket question, blanket answer: depends on how cumbersome the process is.
With a derived key, yes. With the master key, unacceptable risk. Commonly, the master signing key is released only upon confirming physical presence of the owner (e.g., tap a button on the YubiKey).
Yes, indeed, it would put the Marketplace out of reach of anyone but major commercial software publishers.
I am not developing signing solutions, but I use them. Here are two that might be of interest.
Finally, the value of attaching certified identity to extensions is greatly diminished by the security features that are really, sorely missingUnlike browser extension or Android apps, VSCode extensions have full access to the user's system, without any granularity. Reducing the attack surface is the most significant security measure by any textbook. I would even hazard to say that ensuring integrity/identity of extensions has a far lower priority than compartmentalizing extension's access to the core API. Security risks from a malicious or simply malfunctioning extension that is only supposed to display the currently selected profile in the status bar (ahem, hint, hint: maybe we don't need a whole extension for that?) and another, which deploys a debugger proxy executable, should be different. As is with WebExtensions, the manifest should declare the subset of API it will be given access to, at a sensibly granular level, and this subset should be visible to the installing user, translated into natural language. Simply, I would be much more comfortable installing a totally unsigned extension that is given manifest permissions to create a sidebar, access editor's buffer read-only and augment semantic information than an extension that is, as it currently stands, is given full filesystem access, including remote, but provably signed by Joe Bloggs, of whom I've never heard, of course. As you perfectly know, extensions on the Marketplace can be subdivided into 4 major categories: (a) made by Microsoft, (b) published by developers of a simple, single-function extension, which they likely made for their own convenience, (c) expensive, often with free crippled demo versions and (d) 1% outside of the first three kinds. Are you absolutely sure that your priorities are set optimally? |
Beta Was this translation helpful? Give feedback.
-
Marketplace is finishing their work on extension repository signing. To summarise, all extensions on upload will get signed by the Marketplace. Upon download of an extension VS Code will verify this repository signature. Using this approach we can be certain that the package that VS Code downloaded is indeed the one that got uploaded to the Marketplace. More details about the repository signing will be announced in November when this feature will most likely launch 🚀
In the meantime I wanted to discuss another topic - publisher signing. This is a feature that the Marketplace team is starting to think about and it would allow extension authors to directly sign their extensions. VS Code would verify this signature to make sure that the extension bits indeed came from the respective author. Publisher signing is not to be confused with repository signing and these two are independent security features that verify different parts of the supply chain.
Publisher signing has a lot of benefits, but my personal favourite is the ability for extension authors to specify that only extensions that are signed with a specific certificate should be accepted by the Marketplace. Using this, even if an extension author's Marketplace account is compromised by a malicious actor, that actor would not be able to upload any new extensions (or update existing ones) since those extensions would not be signed 🔒
Some questions that I have:
vsce
?Let me know what you think and if you have any other questions. We are looking for any feedback that might help us in how we design the extension publisher signing experience since we are still in the very early phase. Thanks 🙏
Beta Was this translation helpful? Give feedback.
All reactions