How to use the vsixsigntool.exe as outlined here. I have a sha256 code signing certificate I am using to sign a vsix package. The documentation outlined by Microsoft is extremely lacking. I am externally signing the package as...
vsixsigntool.exe sign /f myCert.pfx /p password /t http://timestamp.comodoca.com/authenticode vsixfile.vsix
and I am getting...
VsixSignTool Error: Could not sign package "vsixfile.vsix": Error Code - 8009310b.
Although it should not matter my install targets for the vsix package are...
<InstallationTarget Version="[12.0,15.0)" Id="Microsoft.VisualStudio.Pro" />
<InstallationTarget Version="[12.0,15.0)" Id="Microsoft.VisualStudio.Premium" />
<InstallationTarget Version="[12.0,15.0)" Id="Microsoft.VisualStudio.Ultimate" />
<InstallationTarget Version="[14.0,15.0)" Id="Microsoft.VisualStudio.Community" />
<InstallationTarget Version="[14.0,15.0)" Id="Microsoft.VisualStudio.Enterprise" />
After additional testing this is what I came up with...
If I remove the time stamp such that I have
vsixsigntool.exe sign /f myCert.pfx /p password vsixfile.vsix
I get "was signed successfully"
However, if I have a package for VS 2013 and VS 2015 I get "The extension contains an invalid digital signature" when installing the vsix package. I went further and created 2 separate source.extension.vsixmanifest files. One for VS 2013 and one for VS 2015 with their respective targets.
For the VS 2015 target with command line
vsixsigntool.exe sign /f myCert.pfx /p password vsixfile.vsix
the package was completely and successfully signed. But for the VS 2013 the parameter /fd sha1 was added to the command.
vsixsigntool.exe sign /f myCert.pfx /p password /fd sha1 vsixfile.vsix
then and only then was the VS 2013 was completely and successfully signed.
Please correct me if this is not the intended case. If this is the case and if you want to target VS 2013 and VS 2015, then must you publish two different signed packages of the same application? VS 2015 only accepts sha256 and VS 2013 does not accept sha256?