From 53cd5d204d2edce744bc3c430fb5d46fc339dbc7 Mon Sep 17 00:00:00 2001 From: Bharat Middha <5100938+bmiddha@users.noreply.github.com> Date: Mon, 18 Aug 2025 11:38:50 -0700 Subject: [PATCH 1/5] update extension publishing --- .../bmiddha-vscode-esrp_2025-08-13-08-06.json | 10 ++ .../bmiddha-vscode-esrp_2025-08-13-09-22.json | 10 ++ .../vscode-extension-publish.yaml | 37 ++++--- .../config/subspaces/default/pnpm-lock.yaml | 98 +++++++---------- .../config/subspaces/default/repo-state.json | 2 +- .../heft-plugin.json | 38 ++++++- .../heft-vscode-extension-plugin/package.json | 2 +- .../src/VSCodeExtensionPublishPlugin.ts | 100 ++++++++++++------ .../VSCodeExtensionVerifySignaturePlugin.ts | 94 ++++++++++++++++ .../profiles/default/config/heft.json | 23 +++- .../package.json | 4 +- .../src/extension.ts | 45 ++++---- 12 files changed, 324 insertions(+), 139 deletions(-) create mode 100644 common/changes/@rushstack/heft-vscode-extension-plugin/bmiddha-vscode-esrp_2025-08-13-08-06.json create mode 100644 common/changes/@rushstack/heft-vscode-extension-rig/bmiddha-vscode-esrp_2025-08-13-09-22.json create mode 100644 heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionVerifySignaturePlugin.ts diff --git a/common/changes/@rushstack/heft-vscode-extension-plugin/bmiddha-vscode-esrp_2025-08-13-08-06.json b/common/changes/@rushstack/heft-vscode-extension-plugin/bmiddha-vscode-esrp_2025-08-13-08-06.json new file mode 100644 index 00000000000..7551585910d --- /dev/null +++ b/common/changes/@rushstack/heft-vscode-extension-plugin/bmiddha-vscode-esrp_2025-08-13-08-06.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/heft-vscode-extension-plugin", + "comment": "Add support for verifying extension signature.", + "type": "patch" + } + ], + "packageName": "@rushstack/heft-vscode-extension-plugin" +} \ No newline at end of file diff --git a/common/changes/@rushstack/heft-vscode-extension-rig/bmiddha-vscode-esrp_2025-08-13-09-22.json b/common/changes/@rushstack/heft-vscode-extension-rig/bmiddha-vscode-esrp_2025-08-13-09-22.json new file mode 100644 index 00000000000..31054afeb8c --- /dev/null +++ b/common/changes/@rushstack/heft-vscode-extension-rig/bmiddha-vscode-esrp_2025-08-13-09-22.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/heft-vscode-extension-rig", + "comment": "Add support for verifying extension signature.", + "type": "patch" + } + ], + "packageName": "@rushstack/heft-vscode-extension-rig" +} \ No newline at end of file diff --git a/common/config/azure-pipelines/vscode-extension-publish.yaml b/common/config/azure-pipelines/vscode-extension-publish.yaml index b73321d7aca..a58a2f2811c 100644 --- a/common/config/azure-pipelines/vscode-extension-publish.yaml +++ b/common/config/azure-pipelines/vscode-extension-publish.yaml @@ -10,12 +10,14 @@ parameters: type: object default: - key: 'debug-certificate-manager-vscode-extension' - vsixPath: 'dist/vsix/packaged.vsix' - manifestPath: 'dist/vsix/extension-manifest.json' + projectRelativeAssetsDir: dist/vsix + vsixPath: 'extension.vsix' + manifestPath: 'extension.signature.manifest' projectPath: '$(Build.SourcesDirectory)/vscode-extensions/debug-certificate-manager-vscode-extension' - key: 'rush-vscode-extension' - vsixPath: 'dist/vsix/packaged.vsix' - manifestPath: 'dist/vsix/extension-manifest.json' + projectRelativeAssetsDir: dist/vsix + vsixPath: 'extension.vsix' + manifestPath: 'extension.signature.manifest' projectPath: '$(Build.SourcesDirectory)/vscode-extensions/rush-vscode-extension' resources: @@ -68,20 +70,20 @@ extends: az rest -u https://app.vssps.visualstudio.com/_apis/profile/profiles/me --resource 499b84ac-1321-427f-aa17-267ca6975798 - ${{ each extension in parameters.ExtensionPublishConfig }}: - - bash: cp ${{ extension.manifestPath }} ${{ extension.projectPath }}/extension.signature.p7s - workingDirectory: ${{ extension.projectPath }} + - bash: cp ${{ extension.manifestPath }} extension.signature.p7s + workingDirectory: ${{ extension.projectPath }}/${{ extension.projectRelativeAssetsDir }} displayName: 'Prepare manifest for signing: ${{ extension.key }}' - - task: EsrpCodeSigning@5 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: 'ESRP CodeSigning' inputs: - connectedservicename: '' # TODO - AppRegistrationClientId: '' # TODO - AppRegistrationTenantId: '' # TODO - AuthAKVName: '' # TODO - AuthCertName: '' # TODO - AuthSignCertName: '' # TODO - FolderPath: '${{ extension.projectPath }}' + connectedservicename: 'rushstack-esrp-codesign-client' + AppRegistrationClientId: 'ceb49532-1c6a-445c-8d34-91ab779bdf50' + AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2' + AuthAKVName: 'rushstack-esrp' + AuthCertName: 'ceb49532-rushstack-esrp' + AuthSignCertName: 'rushstack-vs-marketplace-publisher-signing-certificate' + FolderPath: '${{ extension.projectPath }}/${{ extension.projectRelativeAssetsDir }}' Pattern: 'extension.signature.p7s' signConfigType: inlineSignParams inlineOperation: | @@ -95,12 +97,15 @@ extends: } ] + - bash: node node_modules/@rushstack/heft/lib/start.js verify-signature --vsix-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.vsixPath }} --manifest-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.manifestPath }} --signature-path ${{ extension.projectRelativeAssetsDir }}/extension.signature.p7s + displayName: 'Verify Signature: ${{ extension.key }}' + workingDirectory: ${{ extension.projectPath }} + - task: AzureCLI@2 displayName: 'Publish VSIX: ${{ extension.key }}' inputs: azureSubscription: rushstack-vscode-publish scriptType: 'bash' scriptLocation: 'inlineScript' - inlineScript: | - node node_modules/@rushstack/heft/lib/start.js publish-vsix --vsix-path ${{ extension.vsixPath }} --manifest-path ${{ extension.projectPath }}/extension.manifest --signature-path ${{ extension.projectPath }}/extension.signature.p7s + inlineScript: node node_modules/@rushstack/heft/lib/start.js publish-vsix --vsix-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.vsixPath }} --manifest-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.manifestPath }} --signature-path ${{ extension.projectRelativeAssetsDir }}/extension.signature.p7s workingDirectory: ${{ extension.projectPath }} diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index 9617e9ff750..926ccedf493 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -3116,8 +3116,8 @@ importers: specifier: workspace:* version: link:../../libraries/terminal '@vscode/vsce': - specifier: 3.3.2 - version: 3.3.2 + specifier: 3.2.1 + version: 3.2.1 devDependencies: '@rushstack/heft': specifier: workspace:* @@ -12880,7 +12880,7 @@ packages: core-js: 3.36.0 global: 4.4.0 lodash: 4.17.21 - qs: 6.13.0 + qs: 6.14.0 react: 17.0.2 react-dom: 17.0.2(react@17.0.2) regenerator-runtime: 0.13.11 @@ -13196,7 +13196,7 @@ packages: core-js: 3.36.0 global: 4.4.0 lodash: 4.17.21 - qs: 6.13.0 + qs: 6.14.0 react: 17.0.2 react-dom: 17.0.2(react@17.0.2) regenerator-runtime: 0.13.11 @@ -15021,8 +15021,8 @@ packages: '@vscode/vsce-sign-win32-x64': 2.0.5 dev: false - /@vscode/vsce@3.3.2: - resolution: {integrity: sha512-XQ4IhctYalSTMwLnMS8+nUaGbU7v99Qm2sOoGfIEf2QC7jpiLXZZMh7NwArEFsKX4gHTJLx0/GqAUlCdC3gKCw==} + /@vscode/vsce@3.2.1: + resolution: {integrity: sha512-AY9vBjwExakK1c0cI/3NN2Ey0EgiKLBye/fxl/ue+o4q6RZ7N+xzd1jAD6eI6eBeMVANi617+V2rxIAkDPco2Q==} engines: {node: '>= 20'} hasBin: true dependencies: @@ -15032,7 +15032,7 @@ packages: chalk: 2.4.2 cheerio: 1.0.0-rc.12 cockatiel: 3.2.1 - commander: 12.1.0 + commander: 6.2.1 form-data: 4.0.0 glob: 11.0.3 hosted-git-info: 4.1.0 @@ -15835,7 +15835,7 @@ packages: define-properties: 1.2.1 es-abstract: 1.23.9 es-array-method-boxes-properly: 1.0.0 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 is-string: 1.0.7 dev: true @@ -16665,6 +16665,7 @@ packages: /buffer@5.7.1: resolution: {integrity: sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==} + requiresBuild: true dependencies: base64-js: 1.5.1 ieee754: 1.2.1 @@ -16813,10 +16814,10 @@ packages: resolution: {integrity: sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w==} engines: {node: '>= 0.4'} dependencies: - es-define-property: 1.0.0 + es-define-property: 1.0.1 es-errors: 1.3.0 function-bind: 1.1.2 - get-intrinsic: 1.2.4 + get-intrinsic: 1.3.0 set-function-length: 1.2.2 /call-bind@1.0.8: @@ -17325,11 +17326,6 @@ packages: engines: {node: '>=18'} dev: false - /commander@12.1.0: - resolution: {integrity: sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==} - engines: {node: '>=18'} - dev: false - /commander@2.20.3: resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==} @@ -17340,7 +17336,6 @@ packages: /commander@6.2.1: resolution: {integrity: sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==} engines: {node: '>= 6'} - dev: true /commander@7.2.0: resolution: {integrity: sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==} @@ -18681,19 +18676,19 @@ packages: data-view-buffer: 1.0.1 data-view-byte-length: 1.0.1 data-view-byte-offset: 1.0.0 - es-define-property: 1.0.0 + es-define-property: 1.0.1 es-errors: 1.3.0 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 es-set-tostringtag: 2.0.3 es-to-primitive: 1.2.1 function.prototype.name: 1.1.6 - get-intrinsic: 1.2.4 + get-intrinsic: 1.3.0 get-symbol-description: 1.0.2 globalthis: 1.0.3 - gopd: 1.0.1 + gopd: 1.2.0 has-property-descriptors: 1.0.2 has-proto: 1.0.3 - has-symbols: 1.0.3 + has-symbols: 1.1.0 hasown: 2.0.2 internal-slot: 1.0.7 is-array-buffer: 3.0.4 @@ -18705,7 +18700,7 @@ packages: is-string: 1.0.7 is-typed-array: 1.1.13 is-weakref: 1.0.2 - object-inspect: 1.13.1 + object-inspect: 1.13.4 object-keys: 1.1.1 object.assign: 4.1.5 regexp.prototype.flags: 1.5.2 @@ -18735,7 +18730,7 @@ packages: data-view-byte-offset: 1.0.1 es-define-property: 1.0.1 es-errors: 1.3.0 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 es-set-tostringtag: 2.1.0 es-to-primitive: 1.3.0 function.prototype.name: 1.1.8 @@ -18780,12 +18775,6 @@ packages: /es-array-method-boxes-properly@1.0.0: resolution: {integrity: sha512-wd6JXUmyHmt8T5a2xreUwKcGPq6f1f+WwIJkijUqiGcJz1qqnZgP6XIK+QyIWU5lT7imeNxUll48bziG+TSYcA==} - /es-define-property@1.0.0: - resolution: {integrity: sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==} - engines: {node: '>= 0.4'} - dependencies: - get-intrinsic: 1.3.0 - /es-define-property@1.0.1: resolution: {integrity: sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==} engines: {node: '>= 0.4'} @@ -18799,7 +18788,7 @@ packages: dependencies: call-bind: 1.0.7 get-intrinsic: 1.3.0 - has-symbols: 1.0.3 + has-symbols: 1.1.0 is-arguments: 1.1.1 is-map: 2.0.3 is-set: 2.0.3 @@ -20721,6 +20710,7 @@ packages: /fs-constants@1.0.0: resolution: {integrity: sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==} + requiresBuild: true /fs-extra@10.1.0: resolution: {integrity: sha512-oRXApq54ETRj4eMiFzGnHWGy+zo5raudjuxN0b8H7s/RU2oW0Wvsx9O0ACRN/kRq9E8Vu/ReskGB5o3ji+FzHQ==} @@ -20920,7 +20910,7 @@ packages: es-errors: 1.3.0 function-bind: 1.1.2 has-proto: 1.0.3 - has-symbols: 1.0.3 + has-symbols: 1.1.0 hasown: 2.0.2 /get-intrinsic@1.3.0: @@ -21204,11 +21194,6 @@ packages: slash: 2.0.0 dev: true - /gopd@1.0.1: - resolution: {integrity: sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==} - dependencies: - get-intrinsic: 1.3.0 - /gopd@1.2.0: resolution: {integrity: sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==} engines: {node: '>= 0.4'} @@ -21299,7 +21284,7 @@ packages: /has-property-descriptors@1.0.2: resolution: {integrity: sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg==} dependencies: - es-define-property: 1.0.0 + es-define-property: 1.0.1 /has-proto@1.0.3: resolution: {integrity: sha512-SJ1amZAJUiZS+PhsVLf5tGydlaVB8EdFpaSO4gmiUKUOxk8qzn5AIy4ZeJUmh22znIdk/uMAUT2pl3FxzVUH+Q==} @@ -21323,7 +21308,7 @@ packages: resolution: {integrity: sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==} engines: {node: '>= 0.4'} dependencies: - has-symbols: 1.0.3 + has-symbols: 1.1.0 /has-unicode@2.0.1: resolution: {integrity: sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==} @@ -21928,7 +21913,7 @@ packages: dependencies: es-errors: 1.3.0 hasown: 2.0.2 - side-channel: 1.0.6 + side-channel: 1.1.0 /internal-slot@1.1.0: resolution: {integrity: sha512-4gd7VpWNQNB4UKKCFFVcp1AVv+FMOgs9NKzjHKusc8jTMhd5eL1NqQqOpE0KzMds804/yHlglp3uxgluOqAPLw==} @@ -22414,7 +22399,7 @@ packages: resolution: {integrity: sha512-C/CPBqKWnvdcxqIARxyOh4v1UUEOCHpgDa0WYgpKDFMszcrPcffg5uhwSgPCLD2WWxmq6isisz87tzT01tuGhg==} engines: {node: '>= 0.4'} dependencies: - has-symbols: 1.0.3 + has-symbols: 1.1.0 /is-symbol@1.1.1: resolution: {integrity: sha512-9gGx6GTtCQM73BgmHQXfDmLtfjjTUDSyoxTCbp5WtoixAhfgsDirWIcVQ/IHpvI5Vgd5i/J5F7B9cN/WlVbC/w==} @@ -22595,7 +22580,7 @@ packages: engines: {node: '>= 0.4'} dependencies: define-data-property: 1.1.4 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 get-intrinsic: 1.3.0 get-proto: 1.0.1 has-symbols: 1.1.0 @@ -24932,9 +24917,6 @@ packages: define-property: 0.2.5 kind-of: 3.2.2 - /object-inspect@1.13.1: - resolution: {integrity: sha512-5qoj1RUiKOMsCCNLV1CBiPYE10sziTsnmNxkAI/rZhiD63CF7IqdFGC/XzjWjpSgLf0LxXX3bDFIh0E18f6UhQ==} - /object-inspect@1.13.4: resolution: {integrity: sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==} engines: {node: '>= 0.4'} @@ -24965,7 +24947,7 @@ packages: call-bind: 1.0.8 call-bound: 1.0.4 define-properties: 1.2.1 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 has-symbols: 1.1.0 object-keys: 1.1.1 @@ -26332,7 +26314,7 @@ packages: resolution: {integrity: sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==} engines: {node: '>=0.6'} dependencies: - side-channel: 1.0.6 + side-channel: 1.1.0 /qs@6.14.0: resolution: {integrity: sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==} @@ -26882,7 +26864,7 @@ packages: define-properties: 1.2.1 es-abstract: 1.23.9 es-errors: 1.3.0 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 get-intrinsic: 1.3.0 get-proto: 1.0.1 which-builtin-type: 1.2.1 @@ -27301,7 +27283,7 @@ packages: dependencies: call-bind: 1.0.7 get-intrinsic: 1.3.0 - has-symbols: 1.0.3 + has-symbols: 1.1.0 isarray: 2.0.5 /safe-array-concat@1.1.3: @@ -27941,7 +27923,7 @@ packages: dependencies: dunder-proto: 1.0.1 es-errors: 1.3.0 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 /set-value@2.0.1: resolution: {integrity: sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==} @@ -28048,7 +28030,7 @@ packages: call-bind: 1.0.7 es-errors: 1.3.0 get-intrinsic: 1.2.4 - object-inspect: 1.13.1 + object-inspect: 1.13.4 /side-channel@1.1.0: resolution: {integrity: sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==} @@ -28536,7 +28518,7 @@ packages: call-bind: 1.0.7 define-properties: 1.2.1 es-abstract: 1.23.9 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 dev: true /string.prototype.repeat@1.0.0: @@ -28554,7 +28536,7 @@ packages: define-data-property: 1.1.4 define-properties: 1.2.1 es-abstract: 1.23.9 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 has-property-descriptors: 1.0.2 /string.prototype.trim@1.2.9: @@ -28564,7 +28546,7 @@ packages: call-bind: 1.0.7 define-properties: 1.2.1 es-abstract: 1.23.9 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 /string.prototype.trimend@1.0.8: resolution: {integrity: sha512-p73uL5VCHCO2BZZ6krwwQE3kCzM7NKmis8S//xEC6fQonchbum4eP6kR4DLEjQFO3Wnj3Fuo8NM0kOSjVdHjZQ==} @@ -28580,7 +28562,7 @@ packages: call-bind: 1.0.8 call-bound: 1.0.4 define-properties: 1.2.1 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 /string.prototype.trimstart@1.0.7: resolution: {integrity: sha512-NGhtDFu3jCEm7B4Fy0DpLewdJQOZcQ0rGbwQ/+stjnrp2i+rlKeCvos9hOIeCmqwratM47OBxY7uFZzjxHXmrg==} @@ -28595,7 +28577,7 @@ packages: dependencies: call-bind: 1.0.8 define-properties: 1.2.1 - es-object-atoms: 1.0.0 + es-object-atoms: 1.1.1 /string_decoder@1.1.1: resolution: {integrity: sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==} @@ -28764,7 +28746,7 @@ packages: call-bind: 1.0.7 es-errors: 1.3.0 get-symbol-description: 1.0.2 - has-symbols: 1.0.3 + has-symbols: 1.1.0 object.getownpropertydescriptors: 2.1.7 dev: true @@ -29608,7 +29590,7 @@ packages: dependencies: call-bind: 1.0.7 has-bigints: 1.0.2 - has-symbols: 1.0.3 + has-symbols: 1.1.0 which-boxed-primitive: 1.0.2 /unbox-primitive@1.1.0: @@ -29896,7 +29878,7 @@ packages: resolution: {integrity: sha512-6hxOLGfZASQK/cijlZnZJTq8OXAkt/3YGfQX45vvMYXpZoo8NdWZcY73K108Jf759lS1Bv/8wXnHDTSz17dSRw==} dependencies: punycode: 1.4.1 - qs: 6.13.0 + qs: 6.14.0 /use-composed-ref@1.3.0(react@17.0.2): resolution: {integrity: sha512-GLMG0Jc/jiKov/3Ulid1wbv3r54K9HlMW29IWcDFPEqFkSO2nS0MuefWgMJpeHQ9YJeXDL3ZUF+P3jdXlZX/cQ==} diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index 2a2b4c85472..f46f92b78d4 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "eee46b88b1983b92927ea82ac34e23f1f19dd7b1", + "pnpmShrinkwrapHash": "58011e1085f2aad3dc842a758d45841ef7b79c4e", "preferredVersionsHash": "61cd419c533464b580f653eb5f5a7e27fe7055ca" } diff --git a/heft-plugins/heft-vscode-extension-plugin/heft-plugin.json b/heft-plugins/heft-vscode-extension-plugin/heft-plugin.json index ca301083ed4..24bef905318 100644 --- a/heft-plugins/heft-vscode-extension-plugin/heft-plugin.json +++ b/heft-plugins/heft-vscode-extension-plugin/heft-plugin.json @@ -6,6 +6,34 @@ "entryPoint": "./lib/VSCodeExtensionPackagePlugin.js", "parameterScope": "package" }, + { + "pluginName": "vscode-extension-verify-signature-plugin", + "entryPoint": "./lib/VSCodeExtensionVerifySignaturePlugin.js", + "parameterScope": "verify-signature", + "parameters": [ + { + "longName": "--vsix-path", + "parameterKind": "string", + "argumentName": "RELATIVE_PATH", + "description": "Use this parameter to control which VSIX file will be used for verifying signature.", + "required": true + }, + { + "longName": "--manifest-path", + "parameterKind": "string", + "argumentName": "RELATIVE_PATH", + "description": "Use this parameter to control which manifest file will be used for verifying signature.", + "required": true + }, + { + "longName": "--signature-path", + "parameterKind": "string", + "argumentName": "RELATIVE_PATH", + "description": "Use this parameter to control which signature file will be used for verifying signature.", + "required": true + } + ] + }, { "pluginName": "vscode-extension-publish-plugin", "entryPoint": "./lib/VSCodeExtensionPublishPlugin.js", @@ -23,14 +51,20 @@ "parameterKind": "string", "argumentName": "RELATIVE_PATH", "description": "Use this parameter to control which manifest file will be used for publishing.", - "required": true + "required": false }, { "longName": "--signature-path", "parameterKind": "string", "argumentName": "RELATIVE_PATH", "description": "Use this parameter to control which signature file will be used for publishing.", - "required": true + "required": false + }, + { + "longName": "--publish-unsigned", + "parameterKind": "flag", + "description": "Use this parameter to control whether to publish unsigned.", + "required": false } ] } diff --git a/heft-plugins/heft-vscode-extension-plugin/package.json b/heft-plugins/heft-vscode-extension-plugin/package.json index f706f79cf06..cc3f272ec4f 100644 --- a/heft-plugins/heft-vscode-extension-plugin/package.json +++ b/heft-plugins/heft-vscode-extension-plugin/package.json @@ -28,7 +28,7 @@ }, "dependencies": { "@rushstack/node-core-library": "workspace:*", - "@vscode/vsce": "3.3.2", + "@vscode/vsce": "3.2.1", "@rushstack/terminal": "workspace:*" }, "sideEffects": false diff --git a/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionPublishPlugin.ts b/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionPublishPlugin.ts index f2393e58745..13ab408ee25 100644 --- a/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionPublishPlugin.ts +++ b/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionPublishPlugin.ts @@ -6,7 +6,8 @@ import type { IHeftTaskPlugin, IHeftTaskSession, IHeftTaskRunHookOptions, - CommandLineStringParameter + CommandLineStringParameter, + CommandLineFlagParameter } from '@rushstack/heft'; import type { IWaitForExitResult } from '@rushstack/node-core-library'; import * as path from 'node:path'; @@ -19,6 +20,7 @@ const PLUGIN_NAME: 'vscode-extension-publish-plugin' = 'vscode-extension-publish const VSIX_PATH_PARAMETER_NAME: string = '--vsix-path'; const MANIFEST_PATH_PARAMETER_NAME: string = '--manifest-path'; const SIGNATURE_PATH_PARAMETER_NAME: string = '--signature-path'; +const PUBLISH_UNSIGNED_PARAMETER_NAME: string = '--publish-unsigned'; export default class VSCodeExtensionPublishPlugin implements IHeftTaskPlugin @@ -36,55 +38,85 @@ export default class VSCodeExtensionPublishPlugin const signaturePathParameter: CommandLineStringParameter = heftTaskSession.parameters.getStringParameter( SIGNATURE_PATH_PARAMETER_NAME ); + const publishUnsignedParameter: CommandLineFlagParameter = heftTaskSession.parameters.getFlagParameter( + PUBLISH_UNSIGNED_PARAMETER_NAME + ); if (!vsixPathParameter.value) { throw new Error( `The parameter "${VSIX_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionPublishPlugin.` ); } - if (!manifestPathParameter.value) { - throw new Error( - `The parameter "${MANIFEST_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionPublishPlugin.` - ); - } - if (!signaturePathParameter.value) { - throw new Error( - `The parameter "${SIGNATURE_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionPublishPlugin.` - ); - } + const { + logger: { terminal } + } = heftTaskSession; const vsixPath: string = vsixPathParameter.value; - const manifestPath: string = manifestPathParameter.value; - const signaturePath: string = signaturePathParameter.value; + const manifestPath: string | undefined = manifestPathParameter.value; + const signaturePath: string | undefined = signaturePathParameter.value; + const publishUnsigned: boolean = publishUnsignedParameter.value ?? false; + + if (publishUnsigned) { + terminal.writeLine(`Publishing unsigned VSIX ${vsixPath}`); + } else { + if (!manifestPath || !signaturePath) { + throw new Error( + `The parameters "${MANIFEST_PATH_PARAMETER_NAME}" and "${SIGNATURE_PATH_PARAMETER_NAME}" are required for the VSCodeExtensionPublishPlugin.` + ); + } + } heftTaskSession.hooks.run.tapPromise(PLUGIN_NAME, async (runOptions: IHeftTaskRunHookOptions) => { const { buildFolderPath } = heftConfiguration; - const { - logger: { terminal } - } = heftTaskSession; terminal.writeLine(`Using VSCE script: ${vsceScriptPath}`); terminal.writeLine(`Publishing VSIX ${vsixPath}`); - const publishResult: IWaitForExitResult = await executeAndWaitAsync( - terminal, - 'node', - [ - vsceScriptPath, - 'publish', - '--no-dependencies', - '--azure-credential', - '--packagePath', - path.resolve(vsixPath), - '--manifestPath', - path.resolve(manifestPath), - '--signaturePath', - path.resolve(signaturePath) - ], - { - currentWorkingDirectory: path.resolve(buildFolderPath) + let publishResult: IWaitForExitResult; + + if (publishUnsigned) { + publishResult = await executeAndWaitAsync( + terminal, + 'node', + [ + vsceScriptPath, + 'publish', + '--no-dependencies', + '--azure-credential', + '--packagePath', + path.resolve(vsixPath) + ], + { + currentWorkingDirectory: path.resolve(buildFolderPath) + } + ); + } else { + if (!manifestPath) { + throw new Error(`Missing manifest path for the VSCodeExtensionPublishPlugin.`); } - ); + if (!signaturePath) { + throw new Error(`Missing signature path for the VSCodeExtensionPublishPlugin.`); + } + publishResult = await executeAndWaitAsync( + terminal, + 'node', + [ + vsceScriptPath, + 'publish', + '--no-dependencies', + '--azure-credential', + '--packagePath', + path.resolve(vsixPath), + '--manifestPath', + path.resolve(manifestPath), + '--signaturePath', + path.resolve(signaturePath) + ], + { + currentWorkingDirectory: path.resolve(buildFolderPath) + } + ); + } if (publishResult.exitCode !== 0) { throw new Error(`VSIX publishing failed with exit code ${publishResult.exitCode}`); } diff --git a/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionVerifySignaturePlugin.ts b/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionVerifySignaturePlugin.ts new file mode 100644 index 00000000000..560ed0ecaf7 --- /dev/null +++ b/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionVerifySignaturePlugin.ts @@ -0,0 +1,94 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license. +// See LICENSE in the project root for license information. + +import type { + HeftConfiguration, + IHeftTaskPlugin, + IHeftTaskSession, + IHeftTaskRunHookOptions, + CommandLineStringParameter +} from '@rushstack/heft'; +import type { IWaitForExitResult } from '@rushstack/node-core-library'; +import * as path from 'node:path'; +import { executeAndWaitAsync, vsceScriptPath } from './util'; + +interface IVSCodeExtensionVerifySignaturePluginOptions {} + +const PLUGIN_NAME: 'vscode-extension-verify-signature-plugin' = 'vscode-extension-verify-signature-plugin'; + +const VSIX_PATH_PARAMETER_NAME: string = '--vsix-path'; +const MANIFEST_PATH_PARAMETER_NAME: string = '--manifest-path'; +const SIGNATURE_PATH_PARAMETER_NAME: string = '--signature-path'; + +export default class VSCodeExtensionVerifySignaturePlugin + implements IHeftTaskPlugin +{ + public apply( + heftTaskSession: IHeftTaskSession, + heftConfiguration: HeftConfiguration, + pluginOptions: IVSCodeExtensionVerifySignaturePluginOptions + ): void { + const vsixPathParameter: CommandLineStringParameter = + heftTaskSession.parameters.getStringParameter(VSIX_PATH_PARAMETER_NAME); + const manifestPathParameter: CommandLineStringParameter = heftTaskSession.parameters.getStringParameter( + MANIFEST_PATH_PARAMETER_NAME + ); + const signaturePathParameter: CommandLineStringParameter = heftTaskSession.parameters.getStringParameter( + SIGNATURE_PATH_PARAMETER_NAME + ); + + if (!vsixPathParameter.value) { + throw new Error( + `The parameter "${VSIX_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionVerifySignaturePlugin.` + ); + } + if (!manifestPathParameter.value) { + throw new Error( + `The parameter "${MANIFEST_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionVerifySignaturePlugin.` + ); + } + if (!signaturePathParameter.value) { + throw new Error( + `The parameter "${SIGNATURE_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionVerifySignaturePlugin.` + ); + } + + const vsixPath: string = vsixPathParameter.value; + const manifestPath: string = manifestPathParameter.value; + const signaturePath: string = signaturePathParameter.value; + + heftTaskSession.hooks.run.tapPromise(PLUGIN_NAME, async (runOptions: IHeftTaskRunHookOptions) => { + const { buildFolderPath } = heftConfiguration; + const { + logger: { terminal } + } = heftTaskSession; + + terminal.writeLine(`Using VSCE script: ${vsceScriptPath}`); + terminal.writeLine(`Verifying signature ${vsixPath}`); + + const verifySignatureResult: IWaitForExitResult = await executeAndWaitAsync( + terminal, + 'node', + [ + vsceScriptPath, + 'verify-signature', + '--packagePath', + path.resolve(vsixPath), + '--manifestPath', + path.resolve(manifestPath), + '--signaturePath', + path.resolve(signaturePath) + ], + { + currentWorkingDirectory: path.resolve(buildFolderPath) + } + ); + if (verifySignatureResult.exitCode !== 0) { + throw new Error( + `VSIX signature verification failed with exit code ${verifySignatureResult.exitCode}` + ); + } + terminal.writeLine('Successfully verified VSIX signature.'); + }); + } +} diff --git a/rigs/heft-vscode-extension-rig/profiles/default/config/heft.json b/rigs/heft-vscode-extension-rig/profiles/default/config/heft.json index 23c63c45c5c..05545217e12 100644 --- a/rigs/heft-vscode-extension-rig/profiles/default/config/heft.json +++ b/rigs/heft-vscode-extension-rig/profiles/default/config/heft.json @@ -38,8 +38,23 @@ "pluginName": "vscode-extension-package-plugin", "options": { "unpackedFolderPath": "dist/vsix/unpacked", - "vsixPath": "dist/vsix/packaged.vsix", - "manifestPath": "dist/vsix/extension-manifest.json" + "vsixPath": "dist/vsix/extension.vsix", + "manifestPath": "dist/vsix/extension.signature.manifest" + } + } + } + } + }, + "verify-signature": { + "phaseDescription": "Verify the signature of the VSIX package", + "tasksByName": { + "verify-signature": { + "taskPlugin": { + "pluginPackage": "@rushstack/heft-vscode-extension-plugin", + "pluginName": "vscode-extension-verify-signature-plugin", + "options": { + "vsixPath": "dist/vsix/extension.vsix", + "manifestPath": "dist/vsix/extension.signature.manifest" } } } @@ -53,8 +68,8 @@ "pluginPackage": "@rushstack/heft-vscode-extension-plugin", "pluginName": "vscode-extension-publish-plugin", "options": { - "vsixPath": "dist/vsix/packaged.vsix", - "manifestPath": "dist/vsix/extension-manifest.json" + "vsixPath": "dist/vsix/extension.vsix", + "manifestPath": "dist/vsix/extension.signature.manifest" } } } diff --git a/vscode-extensions/debug-certificate-manager-vscode-extension/package.json b/vscode-extensions/debug-certificate-manager-vscode-extension/package.json index 47f89a08701..41f8903908d 100644 --- a/vscode-extensions/debug-certificate-manager-vscode-extension/package.json +++ b/vscode-extensions/debug-certificate-manager-vscode-extension/package.json @@ -1,13 +1,13 @@ { "name": "debug-certificate-manager", - "version": "0.0.0", + "version": "0.0.1", "repository": { "type": "git", "url": "https://github.com/microsoft/rushstack.git", "directory": "vscode-extensions/debug-certificate-manager-vscode-extension" }, "license": "MIT", - "publisher": "RushStack", + "publisher": "ms-RushStack", "preview": true, "displayName": "Debug Certificate Manager", "description": "VS Code extension to manage debug TLS certificates and sync them to the VS Code workspace. Works with VS Code remote development (Codespaces, SSH, Dev Containers, WSL, VS Code Tunnels).", diff --git a/vscode-extensions/debug-certificate-manager-vscode-extension/src/extension.ts b/vscode-extensions/debug-certificate-manager-vscode-extension/src/extension.ts index 87f293854a4..359c4b1673e 100644 --- a/vscode-extensions/debug-certificate-manager-vscode-extension/src/extension.ts +++ b/vscode-extensions/debug-certificate-manager-vscode-extension/src/extension.ts @@ -142,14 +142,6 @@ export function activate(context: vscode.ExtensionContext): void { } async function handleSync(): Promise { - if (!vscode.env.remoteName) { - const message: string = - 'This command is only available in remote workspaces. Please open this workspace in a remote environment.'; - terminal.writeLine(message); - void vscode.window.showErrorMessage(message); - return; - } - try { terminal.writeLine('Starting certificate synchronization...'); @@ -172,12 +164,12 @@ export function activate(context: vscode.ExtensionContext): void { if (!workspaceUri) { terminal.writeLine('No workspace folder found. Synchronization aborted.'); void vscode.window.showErrorMessage( - 'No workspace folder found. Please open a folder in the remote workspace.' + 'No workspace folder found. Open the project folder to sync TLS certificates.' ); return; } - let remoteCertificateStoreOptions: Required | undefined = undefined; + let workspaceCertificateStoreOptions: Required | undefined = undefined; try { const configFileUri: vscode.Uri = vscode.Uri.joinPath( @@ -189,7 +181,7 @@ export function activate(context: vscode.ExtensionContext): void { const parsedConfig: ICertificateStoreOptions & Required> = JSON.parse(configFile.toString()); - remoteCertificateStoreOptions = { + workspaceCertificateStoreOptions = { storePath: parsedConfig.storePath, caCertificateFilename: parsedConfig.caCertificateFilename || 'rushstack-ca.pem', certificateFilename: parsedConfig.certificateFilename || 'rushstack-serve.pem', @@ -208,20 +200,31 @@ export function activate(context: vscode.ExtensionContext): void { } const { storePath, caCertificateFilename, certificateFilename, keyFilename } = - remoteCertificateStoreOptions; + workspaceCertificateStoreOptions; - let resolvedRemoteStorePath: string; + let resolvedWorkspaceStorePath: string; if (storePath.startsWith('/')) { - resolvedRemoteStorePath = storePath; + resolvedWorkspaceStorePath = storePath; } else { - resolvedRemoteStorePath = vscode.Uri.joinPath(workspaceUri, storePath).fsPath; + resolvedWorkspaceStorePath = vscode.Uri.joinPath(workspaceUri, storePath).fsPath; + } + + let storePathUri: vscode.Uri | undefined; + if (vscode.env.remoteName) { + storePathUri = vscode.Uri.from({ + scheme: 'vscode-remote', + authority: workspaceUri.authority, + path: resolvedWorkspaceStorePath + }); + } else { + storePathUri = vscode.Uri.file(resolvedWorkspaceStorePath); + } + if (!storePathUri) { + terminal.writeLine('Failed to resolve store path URI.'); + void vscode.window.showErrorMessage('Failed to resolve store path URI.'); + return; } - const storePathUri: vscode.Uri = vscode.Uri.from({ - scheme: 'vscode-remote', - authority: workspaceUri.authority, - path: resolvedRemoteStorePath - }); const caCertificateUri: vscode.Uri = vscode.Uri.joinPath(storePathUri, caCertificateFilename); const certificateUri: vscode.Uri = vscode.Uri.joinPath(storePathUri, certificateFilename); const keyUri: vscode.Uri = vscode.Uri.joinPath(storePathUri, keyFilename); @@ -247,7 +250,7 @@ export function activate(context: vscode.ExtensionContext): void { } const { autoSync } = getConfig(terminal); - if (autoSync && !vscode.env.remoteName) { + if (autoSync) { terminal.writeLine(`Auto-sync is enabled. Synchronizing certificates on activation...`); } From 4f249cf244cd2f15230c50cc06b5697da3a84eb3 Mon Sep 17 00:00:00 2001 From: Bharat Middha <5100938+bmiddha@users.noreply.github.com> Date: Mon, 18 Aug 2025 16:31:43 -0700 Subject: [PATCH 2/5] fix windows path issue --- .../debug-certificate-manager-vscode-extension/src/extension.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vscode-extensions/debug-certificate-manager-vscode-extension/src/extension.ts b/vscode-extensions/debug-certificate-manager-vscode-extension/src/extension.ts index 359c4b1673e..e92ec302edc 100644 --- a/vscode-extensions/debug-certificate-manager-vscode-extension/src/extension.ts +++ b/vscode-extensions/debug-certificate-manager-vscode-extension/src/extension.ts @@ -206,7 +206,7 @@ export function activate(context: vscode.ExtensionContext): void { if (storePath.startsWith('/')) { resolvedWorkspaceStorePath = storePath; } else { - resolvedWorkspaceStorePath = vscode.Uri.joinPath(workspaceUri, storePath).fsPath; + resolvedWorkspaceStorePath = vscode.Uri.joinPath(workspaceUri, storePath).path; } let storePathUri: vscode.Uri | undefined; From 2fef94235abb88c9eaa796ff0fd5056a3b1b2930 Mon Sep 17 00:00:00 2001 From: Bharat Middha <5100938+bmiddha@users.noreply.github.com> Date: Mon, 18 Aug 2025 16:33:00 -0700 Subject: [PATCH 3/5] add config docs --- .../README.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/vscode-extensions/debug-certificate-manager-vscode-extension/README.md b/vscode-extensions/debug-certificate-manager-vscode-extension/README.md index d1006981386..947d980ec39 100644 --- a/vscode-extensions/debug-certificate-manager-vscode-extension/README.md +++ b/vscode-extensions/debug-certificate-manager-vscode-extension/README.md @@ -7,3 +7,31 @@ VS Code extension to manage debug TLS certificates and sync them to the VS Code The Debug Certificate Manager extension uses `@rushstack/debug-certificate-manager` to manage TLS certificates. It can also be used to sync certificates when connected to a VS Code remote workspace (WSL, Codespaces, Devcontainers, VS Code Tunnels). The extension reads `.vscode/debug-certificate-manager.json` for the certificate store path. When present, the extension will auto-activate and attempt to sync the certificates to the remote workspace. + +## Configuration + +### VS Code Settings + +```json +{ + "debugCertificateManager.autoSync": true, + "debugCertificateManager.keyFilename": "private-key.pem", + "debugCertificateManager.certificateFilename": "certificate.pem", + "debugCertificateManager.caCertificateFilename": "ca-certificate.pem", + "debugCertificateManager.storePath.windows": "C:\\path\\to\\store", + "debugCertificateManager.storePath.linux": "/path/to/store", + "debugCertificateManager.storePath.osx": "/path/to/store" +} +``` + +### Workspace configuration + + +```json +{ + "storePath": "workspace/relative/path", + "keyFilename": "private-key.pem", + "certificateFilename": "certificate.pem", + "caCertificateFilename": "ca-certificate.pem" +} +``` From 52a4b1de584e822b9502845048e2d7305fb33b87 Mon Sep 17 00:00:00 2001 From: Bharat Middha <5100938+bmiddha@users.noreply.github.com> Date: Mon, 18 Aug 2025 17:01:57 -0700 Subject: [PATCH 4/5] pr feedback --- .../src/VSCodeExtensionPublishPlugin.ts | 13 ++++------- .../VSCodeExtensionVerifySignaturePlugin.ts | 23 ++++--------------- 2 files changed, 9 insertions(+), 27 deletions(-) diff --git a/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionPublishPlugin.ts b/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionPublishPlugin.ts index 13ab408ee25..9440e1f53fd 100644 --- a/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionPublishPlugin.ts +++ b/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionPublishPlugin.ts @@ -42,20 +42,17 @@ export default class VSCodeExtensionPublishPlugin PUBLISH_UNSIGNED_PARAMETER_NAME ); - if (!vsixPathParameter.value) { - throw new Error( - `The parameter "${VSIX_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionPublishPlugin.` - ); - } const { logger: { terminal } } = heftTaskSession; - const vsixPath: string = vsixPathParameter.value; + // required parameters defined in heft-plugin.json + const vsixPath: string = vsixPathParameter.value!; + + // manifestPath and signaturePath are required if publishUnsigned is unset const manifestPath: string | undefined = manifestPathParameter.value; const signaturePath: string | undefined = signaturePathParameter.value; - const publishUnsigned: boolean = publishUnsignedParameter.value ?? false; - + const publishUnsigned: boolean = publishUnsignedParameter.value; if (publishUnsigned) { terminal.writeLine(`Publishing unsigned VSIX ${vsixPath}`); } else { diff --git a/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionVerifySignaturePlugin.ts b/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionVerifySignaturePlugin.ts index 560ed0ecaf7..fda739f015b 100644 --- a/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionVerifySignaturePlugin.ts +++ b/heft-plugins/heft-vscode-extension-plugin/src/VSCodeExtensionVerifySignaturePlugin.ts @@ -37,25 +37,10 @@ export default class VSCodeExtensionVerifySignaturePlugin SIGNATURE_PATH_PARAMETER_NAME ); - if (!vsixPathParameter.value) { - throw new Error( - `The parameter "${VSIX_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionVerifySignaturePlugin.` - ); - } - if (!manifestPathParameter.value) { - throw new Error( - `The parameter "${MANIFEST_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionVerifySignaturePlugin.` - ); - } - if (!signaturePathParameter.value) { - throw new Error( - `The parameter "${SIGNATURE_PATH_PARAMETER_NAME}" is required for the VSCodeExtensionVerifySignaturePlugin.` - ); - } - - const vsixPath: string = vsixPathParameter.value; - const manifestPath: string = manifestPathParameter.value; - const signaturePath: string = signaturePathParameter.value; + // required parameters defined in heft-plugin.json + const vsixPath: string = vsixPathParameter.value!; + const manifestPath: string = manifestPathParameter.value!; + const signaturePath: string = signaturePathParameter.value!; heftTaskSession.hooks.run.tapPromise(PLUGIN_NAME, async (runOptions: IHeftTaskRunHookOptions) => { const { buildFolderPath } = heftConfiguration; From 9eb98c103c5d4efd74eeed4434a822a930e4d8dc Mon Sep 17 00:00:00 2001 From: Bharat Middha <5100938+bmiddha@users.noreply.github.com> Date: Tue, 19 Aug 2025 11:07:32 -0700 Subject: [PATCH 5/5] add publish unsigned pipeline parameter --- .../config/azure-pipelines/vscode-extension-publish.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/common/config/azure-pipelines/vscode-extension-publish.yaml b/common/config/azure-pipelines/vscode-extension-publish.yaml index a58a2f2811c..e74a11d5427 100644 --- a/common/config/azure-pipelines/vscode-extension-publish.yaml +++ b/common/config/azure-pipelines/vscode-extension-publish.yaml @@ -6,6 +6,9 @@ parameters: - name: shouldPublish type: boolean default: true + - name: publishUnsigned + type: boolean + default: true - name: ExtensionPublishConfig type: object default: @@ -107,5 +110,8 @@ extends: azureSubscription: rushstack-vscode-publish scriptType: 'bash' scriptLocation: 'inlineScript' - inlineScript: node node_modules/@rushstack/heft/lib/start.js publish-vsix --vsix-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.vsixPath }} --manifest-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.manifestPath }} --signature-path ${{ extension.projectRelativeAssetsDir }}/extension.signature.p7s workingDirectory: ${{ extension.projectPath }} + ${{ if parameters.publishUnsigned }}: + inlineScript: node node_modules/@rushstack/heft/lib/start.js publish-vsix --vsix-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.vsixPath }} --publish-unsigned + ${{ else }}: + inlineScript: node node_modules/@rushstack/heft/lib/start.js publish-vsix --vsix-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.vsixPath }} --manifest-path ${{ extension.projectRelativeAssetsDir }}/${{ extension.manifestPath }} --signature-path ${{ extension.projectRelativeAssetsDir }}/extension.signature.p7s