Validate signatures for extensions downloaded from OpenVSX #5792
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Currently, Positron does not validate signatures of extension packages downloaded from OpenVSX. We should add signature validation as a security measure.
Note that other VS Code forks generally do not perform this validation. VSCodium, for instance, has a patch similar to Positron's that disables validation. https://github.com/VSCodium/vscodium/blob/3a9708856a49ec893f044673c547d2f0e54be3d4/patches/disable-signature-verification.patch#L11
OpenVSX uses a different mechanism than Microsoft does and the signatures are not compatible. This means that some changes are necessary to the signature validation code, which has a hardcoded dependency on
@vscode/vsce-sign(a proprietary Microsoft binary that verifies signatures generated by the official VS Code extension marketplace). There's a long thread on signatures in OpenVSX here:eclipse/openvsx#543
They implemented signature verification last year:
eclipse/openvsx#673
In order to validate extensions installed from OpenVSX, we can use
node-ovsx-sign:https://www.npmjs.com/package/node-ovsx-sign/v/0.6.1
This appears to be used already by Coder and Gitpod.
The text was updated successfully, but these errors were encountered: