Installing Extension via OpenVSX fails on MacOS with "Signature verification was not executed."

[sourishkrout]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Chrome (not relevant though)
• Local OS: MacOS Sonoma 14.7.2 (23H311)
• Remote OS: running locally, MacOS Sonoma 14.7.2 (23H311)
• Remote Architecture: All arm64
• code-server --version: 1.97.2, e54c774e0add60467559eb0d1e229c6452cf8447, arm64

Steps to Reproduce

Run code-server --install-extension redhat.vscode-yaml --force

$ code-server --install-extension redhat.vscode-yaml --force
Installing extensions...
Installing extension 'redhat.vscode-yaml'...
Error while installing extension redhat.vscode-yaml: Signature verification was not executed.
Failed Installing Extensions: redhat.vscode-yaml
[2025-02-19T22:47:01.289Z] error parent:80369 Uncaught exception: Signature verification was not executed.
[2025-02-19T22:47:01.289Z] error parent:80369 SignatureVerificationInternal: Signature verification was not executed.
    at Hc.ub (file:///opt/homebrew/Cellar/code-server/4.96.4/libexec/lib/vscode/out/server-main.js:58:17105)
    at async Hc.tb (file:///opt/homebrew/Cellar/code-server/4.96.4/libexec/lib/vscode/out/server-main.js:58:15571)

Expected

Successfully installs extension via OpenVSX. This works on Linux but not MacOS.

Actual

[2025-02-19T22:47:01.289Z] error parent:80369 Uncaught exception: Signature verification was not executed.
[2025-02-19T22:47:01.289Z] error parent:80369 SignatureVerificationInternal: Signature verification was not executed.
    at Hc.ub (file:///opt/homebrew/Cellar/code-server/4.96.4/libexec/lib/vscode/out/server-main.js:58:17105)
    at async Hc.tb (file:///opt/homebrew/Cellar/code-server/4.96.4/libexec/lib/vscode/out/server-main.js:58:15571)

Logs

Installing extensions...
Installing extension 'redhat.vscode-yaml'...
Error while installing extension redhat.vscode-yaml: Signature verification was not executed.
Failed Installing Extensions: redhat.vscode-yaml
[2025-02-19T22:47:01.289Z] error parent:80369 Uncaught exception: Signature verification was not executed.
[2025-02-19T22:47:01.289Z] error parent:80369 SignatureVerificationInternal: Signature verification was not executed.
    at Hc.ub (file:///opt/homebrew/Cellar/code-server/4.96.4/libexec/lib/vscode/out/server-main.js:58:17105)
    at async Hc.tb (file:///opt/homebrew/Cellar/code-server/4.96.4/libexec/lib/vscode/out/server-main.js:58:15571)

Screenshot/Video

No response

Does this bug reproduce in native VS Code?

No, this works as expected in native VS Code

Does this bug reproduce in GitHub Codespaces?

No, this works as expected in GitHub Codespaces

Are you accessing code-server over a secure context?

• I am using a secure context.

Notes

The only workaround is to run code-server and install the extension from within the Extensions panel explicitly ignoring "Signature Verification".

[sourishkrout]

Okay, so I built code-server from sources on both Linux (x64) and MacOS (arm) to identify the issue and discovered something peculiar:

Linux is explicitly excluded from signature verification, which is why the issue won't occur on Linux:

[...]
if (
	verificationStatus !== ExtensionSignatureVerificationCode.Success
	&& !(verificationStatus === ExtensionSignatureVerificationCode.NotSigned && !shouldRequireSignature)
	&& verifySignature
	&& this.environmentService.isBuilt
	&& !(isLinux && this.productService.quality === 'stable')
) {
[...]

https://github.com/microsoft/vscode/blob/17baf841131aa23349f217ca7c570c76ee87b957/src/vs/platform/extensionManagement/node/extensionManagementService.ts#L344

Meanwhile, in main line has the Linux exclusion removed. This is as of microsoft/vscode#243358. It's unclear if that will make it fail or work on all platforms.

https://github.com/microsoft/vscode/blob/main/src/vs/platform/extensionManagement/node/extensionManagementService.ts#L344

[code-asher]

I remember seeing that Open VSX implemented some kind of signature verification, but it was never clear to me how that actually worked. I wonder if it needs to be updated?

In any case, maybe we will have to disable signature verification in the next release. I think VSCodium does that.

[sourishkrout]

Disabling it for extensions downloaded from OpenVSX does make sense. It's been effectively disabled for Linux all along.

Seems like Signature Verification stalled because MSFT is keeping their tool closed off: eclipse/openvsx#543

If there is no Signer in OpenVSX and it's not just a checksum, disabling it is a loop and won't negatively affect any security properties. I favor turning it off if it makes MacOS extension installs work again for code-server and potentially avoids breakage across all platforms in upcoming releases due to VS Code's upstream change.

[code-asher]

Ahhhhh so it might work if we make code-server use their node-ovsx-sign package.

But yeah, disabling maintains the status quo and is easier so we can do that for now.

[sourishkrout]

Ahhhhh so it might work if we make code-server use their node-ovsx-sign package.

Not quite. The OSS is just a wrapper around a proprietary package/binary: eclipse/openvsx#543 (comment). The convo is> 2 years old, so I'd take that with a grain of salt.

But yeah, disabling maintains the status quo and is easier so we can do that for now.

Disabling would improve the situation because installations on non-Linux fail signature verifications. But yeah, for what's working now there will be no difference.