Sorry if this is a stupid question, but I’ve been trying to create a command line installer for the VS2019 VSIX extension on a Windows Server 2016 machine, but have hit some problems when it is installing quietly. It seems the certificate it’s code-signed with expired over the weekend, and I’m guessing it’s not timestamped properly (see below)
If I run the installation in interactive mode, I get a prompt about the expired certificate with an invalid timestamp and am able to proceed with the installation, but that doesn’t help for the silent installation I was hoping to push out to the developers.
Am I missing something here? Is there a way to ignore the expired certificate, or does a new version of the plugin signed with a current cert need to be published? I read in another thread that using /force could allow certificate errors to be ignored, but that doesn’t seem to be doing it for me.
I’m not sure what the answer is, but it’s definitely not a stupid question!
The code signing certificate used to sign the SLVS v 4.38 release expired on the 16th October 2021. The VSIX was time-stamped as part of the signing so it should be verifiable that the code signing certificate was valid at the point the VSIX was signed.
I’ve just tried installing the v4.38 on my dev machine both from the command line and by double-clicking the VSIX and the certificate is not reported as being invalid:
20/10/2021 17:11:52 - Détails de l'extension...
20/10/2021 17:11:52 - Identifier : SonarLint.b986f788-6a16-4a3a-a68b-c757f6b1b7d5
20/10/2021 17:11:52 - Name : SonarLint for Visual Studio 2019
20/10/2021 17:11:52 - Author : SonarSource
20/10/2021 17:11:52 - Version : 4.38.0.36876
20/10/2021 17:11:52 - Description : Roslyn based static code analysis: Find and instantly fix nasty bugs and code smells in C#, VB.Net, C, C++ and JS.
20/10/2021 17:11:52 - Locale : en-US
20/10/2021 17:11:52 - MoreInfoURL : http://vs.sonarlint.org/
20/10/2021 17:11:52 - InstalledByMSI : False
20/10/2021 17:11:52 - SupportedFrameworkVersionRange : [4.6,)
20/10/2021 17:11:52 -
20/10/2021 17:11:53 - SignatureState : ValidSignature
20/10/2021 17:11:53 - SignedBy : Sonarsource SA
20/10/2021 17:11:53 - Certificate Info :
20/10/2021 17:11:53 - -------------------------------------------------------
20/10/2021 17:11:53 - [Subject] : CN=Sonarsource SA, O=Sonarsource SA, L=GENÈVE, C=CH
20/10/2021 17:11:53 - [Issuer] : CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
20/10/2021 17:11:53 - [Serial Number] : 17EF71F9FA5FF72F2C504248CEF5F950
20/10/2021 17:11:53 - [Not Before] : 17/09/2019 01:00:00
20/10/2021 17:11:53 - [Not After] : 16/10/2021 00:59:59
20/10/2021 17:11:53 - [Thumbprint] : 0EA334E388568CE222CB035D0CDA4B6EF8A7F087
FYI I’m using v16.10.1056.38773 of vsixinstaller.exe from \Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE\VSIXInstaller.exe.
My guess is that there is some configuration difference on your Windows machine that is causing the timestamp to be treated as invalid (e.g. application of stricter policies, not trusting the timestamp/certificate provider). I don’t know if that would cause info to be logged to the Windows Event Log, but it might be worth checking.
FYI the next release of SLVS will be signed with a new certificate. We don’t have an exact release date, but it’s likely to be in the next two to three weeks.
Thanks very much for getting back to me so quickly!
I think the issue is actually a bit different to what the error message was suggesting. Something I neglected to mention was that this environment does not have normal internet access. I did some more testing this morning and also found this similar issue, which suggests that there is a broader issue with caused by CRL checks failing during plugin installation: Visual Studio Feedback
We have some other options to work around this potentially or at least isolate it more, so I’ll investigate those and report back. I’ll try that new version as well once it’s available.
,
