{"id":21012338,"url":"https://github.com/vcsjones/openopcsigntool","last_synced_at":"2025-05-07T09:47:17.237Z","repository":{"id":20249829,"uuid":"89238447","full_name":"vcsjones/OpenOpcSignTool","owner":"vcsjones","description":"An open-source implementation of VsixSignTool.","archived":false,"fork":false,"pushed_at":"2024-06-12T00:03:26.000Z","size":1496,"stargazers_count":37,"open_issues_count":21,"forks_count":25,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-04-10T03:10:47.335Z","etag":null,"topics":["code-signing","vsix"],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vcsjones.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-24T12:37:53.000Z","updated_at":"2024-08-21T23:16:04.000Z","dependencies_parsed_at":"2024-11-19T09:39:07.729Z","dependency_job_id":"d2905fdf-6fe4-4ddb-a516-2227c8e847d4","html_url":"https://github.com/vcsjones/OpenOpcSignTool","commit_stats":{"total_commits":120,"total_committers":8,"mean_commits":15.0,"dds":"0.23333333333333328","last_synced_commit":"09b89cf47028b15ccec8c91c2fe2165de7d1c8c9"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vcsjones%2FOpenOpcSignTool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vcsjones%2FOpenOpcSignTool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vcsjones%2FOpenOpcSignTool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vcsjones%2FOpenOpcSignTool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vcsjones","download_url":"https://codeload.github.com/vcsjones/OpenOpcSignTool/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252854369,"owners_count":21814674,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-signing","vsix"],"created_at":"2024-11-19T09:36:20.540Z","updated_at":"2025-05-07T09:47:17.211Z","avatar_url":"https://github.com/vcsjones.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"OpenOpcSignTool\n================\n\n[![Build Status](https://vcsjones.visualstudio.com/OpenOpcSignTool/_apis/build/status/OpenOpcSignTool-CI)](https://vcsjones.visualstudio.com/OpenOpcSignTool/_build/latest?definitionId=2)\n\nOpenOpcSignTool (\"OOST\") is an open-source implemention of [VsixSignTool][1] to digitally sign VSIX packages on any platform,\nwith additional \"OPC\" package signing options to come.\n\nIt offers a number of benefits, such as easily using certificates from hardware tokens, HSMs, Azure Key Vault, etc by allowing\nany certificate from the Certificate Store to be used instead of a PFX.\n\n## Installing\n\nUsing .NET Core 2.1 or later:\n\n```shell\ndotnet tool install -g OpenVsixSignTool\n```\n\nAlternatively, it can be built by itself\n\n## Using\n\nUsing OOST is fairly simple. An example:\n\n```shell\nOpenVsixSignTool sign --sha1 7213125958254779abbaa5033a12fecdf2c7cdc8 --timestamp http://timestamp.digicert.com -ta sha256 -fd sha256 myvsix.vsix\n```\n\nThis signs the VSIX using a certificate in the certificate store using the SHA1 thumbprint, and uses a SHA256\nfile digest and SHA256 timestamp digest algorithm.\n\nFor more information about usage, use `OpenVsixSignTool sign --help` for more information.\n\n## Core Library\n\nThis repository is broken out into two projects.\n\n### Core Signing Library\n\nThe core library performs the signing functionality and offers a .NET API for programmatically signing a VSIX file. A sample for signing and timestamping\nwith an `X509Certificate2` would look like this:\n\n```csharp\nX509Certificate2 certificate = default; // Use a real instance of an X509Certificate2 with a private key\nvar configuration = new SignConfigurationSet(\n\tHashAlgorithmName.SHA256,\n\tHashAlgorithmName.SHA256,\n\tcertificate.GetRSAPrivateKey(),\n\tcertificate);\nusing (var package = OpcPackage.Open(@\"C:\\path\\to\\file.vsix\", OpcPackageFileMode.ReadWrite))\n{\n\tvar builder = package.CreateSignatureBuilder();\n\tbuilder.EnqueueNamedPreset\u003cVSIXSignatureBuilderPreset\u003e();\n\tvar signature = builder.Sign(configuration);\n\t// Apply a timestamp\n\tvar timestampBuilder = signature.CreateTimestampBuilder();\n\tvar result = await timestampBuilder.SignAsync(new Uri(\"http://timestamp.digicert.com\"), HashAlgorithmName.SHA256);\n\tif (result != TimestampResult.Success)\n\t{\n\t\tthrow new InvalidOperationException(\"Failed to timestamp the signature.\");\n\t}\n}\ncertificate.Dispose();\n```\n\n\nYou can also use Azure Key Vault to sign a VSIX when using the [`RSAKeyVault`][3] NuGet package. Since the `SignConfigurationSet`\naccepts a private key that is distinct from the certificate, the private key can be any implementation of `RSA` or `ECDsa`\nthat are properly implemented.\n\n### CLI Tool\n\nThe command line tool uses the core library to offer CLI usage of the core library. It uses [`RSAKeyVault`][3] to achieve signing\nwith `AzureKeyVault`.\n\n## Known Issues\n\nSee the list of [bugs][2] in GitHub for known bugs.\n\n[1]: https://www.nuget.org/packages/Microsoft.VSSDK.Vsixsigntool/\n[2]: https://github.com/vcsjones/OpenVsixSignTool/issues?q=is%3Aissue+is%3Aopen+label%3Abug\n[3]: https://www.nuget.org/packages/RSAKeyVaultProvider/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvcsjones%2Fopenopcsigntool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvcsjones%2Fopenopcsigntool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvcsjones%2Fopenopcsigntool/lists"}