I have a code signing certificate on a YubiKey (YubiKey 5C NFC FIPS, PIV Authentication on Slot 9a), in line with the new requirements for code signing certs. I need to sign my VSIX archive for distribution on the Visual Studio Marketplace.
According to the official Visual Studio docs, the new tool for signing the VSIX archive is 'sign': https://learn.microsoft.com/en-us/visualstudio/extensibility/dotnet-sign-cli-reference-vsix?view=vs-2022.
However, when I follow the above guide I receive this error: Invalid value for --certificate-fingerprint. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).
I am using the certificate thumbprint for --certificate-fingerprint. Is that correct? The guide also mentions running Get-FileHash on a .cer file to determine the fingerprint. However, I don't have a .cer file. Perhaps I need to export one from certmgr or the YubiKey manager? I figured the fingerprint would be used to identify the cert within the certificate store/provider, which is why I've assumed the thumbprint is this ID.
I'm also unsure which value to pass for the --crypto-service-provider. The guide shows various values in the examples, but also advises running certutil -csplist to see all the provider types available, but it's still not clear which one I should choose. I feel like I should be seeing some kind of YubiKey provider, but I do not. How do I figure out which provider to pass to the tool?
I am able to use the YubiKey cert to sign a DLL using the sign.exe tool, so it seems like the cert is correctly configured on the YubiKey. If I try to sign the VSIX file using the old tool (OpenVsixSignTool), I receive a STATUS_HEAP_CORRUPTION (-1073740940) exit code.
I'm hoping someone has been able to successfully sign a VSIX file using a digital cert / YubiKey and can provide some guidance.
Currently it is not possible. Vote for it here:
Add support in Visual Studio 2015 and higher for ECDSA-SHA256 (and not only RSA-SHA256) for code-signing VSIX packages https://developercommunity.visualstudio.com/t/Add-support-in-Visual-Studio-2015-and-hi/10481797