Signing VSIX Packages

 

For the latest documentation on Visual Studio 2017, see Visual Studio 2017 Documentation.

Extension assemblies do not need to be signed before they can run in Visual Studio, but it is a good practice to do so.

If you want to secure your extension and make sure it hasn’t been tampered with, you can add a digital signature to a VSIX package. When a VSIX is signed, the VSIX installer will display a message indicating that it is signed, plus more information about the signature itself. If the contents of the VSIX have been modified, and the VSIX has not been signed again, the VSIX installer will show that the signature is not valid. The installation is not stopped, but the user is warned.

System_CAPS_ICON_important.jpg Important

Beginning in 2015, VSIX packages signed using anything other than SHA256 encryption will be identified as having an invalid signature. VSIX installation is not blocked but the user will be warned.

There is a SHA256 encryption signing tool available from VisualStudioExtensibility on nuget.org at VsixSignTool.

To use the VSIXSignTool

  1. Add your VSIX to a project.

  2. Right click on the project node in Solution Explorer, selecting Add | Manage NuGet Packages. For more information on NuGet and adding NuGet packages see NuGet Overview and Manage NuGet Packages Using the Dialog.

  3. Search for VSIXSignTool from VisualStudioExtensibility and install the NuGet package.

  4. You can now run the VSIXSignTool from the project’s local packages location. Consult the tool’s command line help for your signing scenario (VSIXSignTool.exe /?).

For example to sign with a password protected certificate file:

VSIXSignTool.exe sign /f <certfile> /p <password> <VSIXfile>

Shipping Visual Studio Extensions

Show: