Investigate signature verification #67
Comments
coder-labeler
bot
added
bug
|
I think we will need to implement https://github.com/filiptronicek/node-ovsx-sign in Go. We generate what we need when an extension is added, or on demand for existing extensions for backwards compatibility. |
code-asher
changed the title
|
Does VS Code then need to get the public key of the signature configured somewhere? As mentioned in #65 we currently just download and provide the signature from the upstream marketplace and get a config-free experience with that (we have an air-gapped deployment so we could also just point the marketplace.visualstudio.com URL to our reverse proxy so that we don't even need to change that in the product.json). I would rather keep this ability of being able to fake the upstream as much as possible to reduce friction on the user's end. |
|
Ah, thanks for pointing out that issue, I was away last week and still have to go through my backlog. I will close this as a duplicate. I am not sure about the public key question; this is part of what needs to be investigated. I know Open VSX has solved this though, so I do not think it requires any changes on the VS Code side. But, if it is important to keep the ability to add your own signatures, we can make that work. |
Got a report that the marketplace does not work for 1.94 because of signature verification.
EDIT: See #65 instead
The text was updated successfully, but these errors were encountered: