Earlier I successfully used vsixsigntool.exe to sign extensions for Visual Studio in the VSIX format. The command line call looked like this:
vsixsigntool.exe sign /f %PFX% /p %PWD% /sha1 %HASH% /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td sha256 <path_to_vsix>
, where %PFX% is the path to the PFX file with my code signing certificate (CSS), %PWD% is its password, and %HASH% is an SHA1 hash of my CSS.
But this time my CSS supplier, GlobalSign, allowed me to generate and store the new CSS only on a SafeNet 5110 USB token because of global change in security policy related to CSSs. As such, I no longer have a PFX file and can't use vsixsigntool as earlier because of this.
Is there a way to use vsixsigntool with the CSS stored on a SafeNet hardware security module?
Perhaps, there are also alternative solutions allowing us to sign VSIXs using a CSS stored on an HSM. They can be also an answer to my question.
Since you don’t have a password-protected .pfx file with the certificate and the private key, you can’t use the /p flag (for the password) of the vsixsigntool.exe tool. Instead, you must provide access to the private key inside the USB device using the following flags:
You have the details in my article:
Code signing a VSIX package with a hardware-based USB token key:
https://www.visualstudioextensibility.com/2023/09/20/code-signing-a-vsix-package-with-a-hardware-based-usb-token-key/