Skip to content

VSIX: intermediate certificates not included in signature #911

New issue
New issue
Open
Open
VSIX: intermediate certificates not included in signature#911
Labels
Priority:2Work that is important, but not critical for the releasearea-vsixRelated to VSIX signing
@dtivel

Description

@dtivel
dtivel
opened on Jul 24, 2025

Describe the bug
When signing a VSIX, intermediate certificates --- from both the primary and timestamp certificate chains --- are not included in the signature. This can fail verification in offline environments if machines do not already have those intermediate certificates available at verification time.

Only the end certificate is included in the signature.

Repro steps
Sign a VSIX and inspect at the XML digital signature.

Expected behavior
Every non-root certificate in both the primary and timestamp certificate chains will be included in the signature.

Actual behavior
Only end certificates are included.

Additional context
VsixSignTool.exe neither includes these certificates nor uses them (if present) in certificate chain validation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Priority:2Work that is important, but not critical for the releasearea-vsixRelated to VSIX signing

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions