Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error validating signature when installing extensions from OpenVSX #5758

Closed
jmcphers opened this issue Dec 16, 2024 · 2 comments
Closed

Error validating signature when installing extensions from OpenVSX #5758

jmcphers opened this issue Dec 16, 2024 · 2 comments
Assignees
@jmcphers
Labels
area: core Issues related to Core category.
Milestone
2025.01.0 Pre-Rel...

Comments

@jmcphers
Copy link
Collaborator

System details:

Positron and OS details:

Positron Version: 2025.01.0 build 87
Code - OSS Version: 1.95.0
Commit: 240e51fa165f6c512e586f0af105a0c8fc092607
Date: 2024-12-16T17:23:23.892Z
Electron: 32.2.1
Chromium: 128.0.6613.186
Node.js: 20.18.0
V8: 12.8.374.38-electron.0
OS: Darwin arm64 24.1.0

Interpreter details:

N/A

Describe the issue:

When attempting to install an extension from OpenVSX, a signature validation error occurs.

Steps to reproduce the issue:

  1. Go to the Extensions panel
  2. Search for an extension, e.g. Posit Publisher
  3. Click the Install button
Image

Expected or desired behavior:

Extension installs successfully.

Were there any error messages in the UI, Output panel, or Developer Tools console?

This looks related:

2024-12-16 10:12:38.400 [error] SignatureVerificationInternal: Signature verification was not executed.
    at ExtensionManagementService2.downloadExtension (file:///Users/jmcphers/git/VSCode-darwin-arm64/Positron.app/Contents/Resources/app/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js:25465:15)
    at async ExtensionManagementService2.downloadAndExtractGalleryExtension (file:///Users/jmcphers/git/VSCode-darwin-arm64/Positron.app/Contents/Resources/app/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js:25412:46)
2024-12-16 10:12:38.694 [error] Signature verification was not executed.: SignatureVerificationInternal: Signature verification was not executed.
    at ExtensionManagementService2.downloadExtension (file:///Users/jmcphers/git/VSCode-darwin-arm64/Positron.app/Contents/Resources/app/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js:25465:15)
    at async ExtensionManagementService2.downloadAndExtractGalleryExtension (file:///Users/jmcphers/git/VSCode-darwin-arm64/Positron.app/Contents/Resources/app/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js:25412:46)

...

2024-12-16 10:17:14.168 [error] Cannot find package 'yauzl' imported from /Users/jmcphers/git/VSCode-darwin-arm64/Positron.app/Contents/Resources/app/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js: Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'yauzl' imported from /Users/jmcphers/git/VSCode-darwin-arm64/Positron.app/Contents/Resources/app/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js
    at packageResolve (node:internal/modules/esm/resolve:861:9)
    at moduleResolve (node:internal/modules/esm/resolve:934:18)
    at defaultResolve (node:internal/modules/esm/resolve:1176:11)
    at nextResolve (node:internal/modules/esm/hooks:868:28)
    at resolve (data:text/javascript;base64,CglleHBvcnQgYXN5bmMgZnVuY3Rpb24gcmVzb2x2ZShzcGVjaWZpZXIsIGNvbnRleHQsIG5leHRSZXNvbHZlKSB7CgkJaWYgKHNwZWNpZmllciA9PT0gJ2ZzJykgewoJCQlyZXR1cm4gewoJCQkJZm9ybWF0OiAnYnVpbHRpbicsCgkJCQlzaG9ydENpcmN1aXQ6IHRydWUsCgkJCQl1cmw6ICdub2RlOm9yaWdpbmFsLWZzJwoJCQl9OwoJCX0KCgkJLy8gRGVmZXIgdG8gdGhlIG5leHQgaG9vayBpbiB0aGUgY2hhaW4sIHdoaWNoIHdvdWxkIGJlIHRoZQoJCS8vIE5vZGUuanMgZGVmYXVsdCByZXNvbHZlIGlmIHRoaXMgaXMgdGhlIGxhc3QgdXNlci1zcGVjaWZpZWQgbG9hZGVyLgoJCXJldHVybiBuZXh0UmVzb2x2ZShzcGVjaWZpZXIsIGNvbnRleHQpOwoJfQ==:13:10)
    at nextResolve (node:internal/modules/esm/hooks:868:28)
    at Hooks.resolve (node:internal/modules/esm/hooks:306:30)
    at MessagePort.handleMessage (node:internal/modules/esm/worker:196:24)
    at [nodejs.internal.kHybridDispatch] (node:internal/event_target:820:20)
    at MessagePort.<anonymous> (node:internal/per_context/messageport:23:28)
@jmcphers jmcphers added the area: core Issues related to Core category. label Dec 16, 2024
@jmcphers jmcphers self-assigned this Dec 16, 2024
@juliasilge juliasilge added this to the 2025.01.0 Pre-Release milestone Dec 16, 2024
@jmcphers
Copy link
Collaborator Author

I think this may have to do with this commit from upstream. This landed in 1.94 (which was included in our upgrade from 1.93 -> 1.95) and blocked installation of VSIX files that could not validated.

microsoft/vscode@2991008

Later, in 1.96, this was walked back a bit to not validate unsigned VSIX files.

microsoft/vscode@6b27771

However as we're on 1.95 we don't have this change.

@jmcphers jmcphers mentioned this issue Dec 17, 2024
Merged
jmcphers added a commit that referenced this issue Dec 17, 2024
@jmcphers
disable extension validation in Positron (#5787)
afc264f 
This change causes Positron to skip extension validation. Extension
validation isn't a new feature from upstream, but it is a feature that
was formerly not very aggressive. In this change from upstream 1.94
(which we picked up with the 1.93 -> 1.95 upstream merge), VS Code
started blocking installation when signature verification fails.


microsoft/vscode@2991008

This change also added a new option, `extensions.verifySignature`, which
controls the new behavior. The fix is to effectively hide this option
and never perform signature verification.

In early drafts of this change I considered just defaulting the setting
to `false`, but it turns out that Positron is missing an essential
binary needed to perform signature verification (`@vscode/vsce-sign`),
so we cannot verify signatures. Verification is also restricted to
Windows and macOS platforms, even in upstream VS Code.

This fix is a stopgap to get installation back online quickly. In the
long term, we should consider investigating what work is needed to
perform signature verification. While Positron does not bundle a copy of
the vsce-sign tool, the tool is distributed on npm (note however that it
is closed source and under a Microsoft license).
https://www.npmjs.com/package/@vscode/vsce-sign

Addresses #5758.

### QA Notes

Installing from local VSIX files as well as OpenVSX should work
smoothly.
@testlabauto
Copy link
Contributor

Verified Fixed

Positron Version(s) : 2025.01.0-104
OS Version          : OSX

Test scenario(s)

Posit Publisher installed successfully

Link(s) to TestRail test cases run or created:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmcphers jmcphers

Labels
area: core Issues related to Core category.
Projects
None yet
Milestone
2025.01.0 Pre-Release
Development

No branches or pull requests
3 participants
@jmcphers @juliasilge @testlabauto