This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 43%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
I've been signing vsix packages for six years without an issue. I'm just purchased my third three-year cert (Sectigo), which costs 4x as 2021 and is now delivered in a USB eToken device (accessed with the SafeNet application). Now the fun starts. I'm including a quick rundown so others don't lose a whole afternoon (and evening).
The article says VsixSignTool is deprecated, so I pull down sign as instructed. The csp argument is easy (the Cryptographic Provider shows as a Private Key property in SafeNet, "eToken Base Cryptographic Provider"). The cfp argument is the first stumble. The article tells how to get this for a file, not a cert in an eToken. None of the obvious cert properties (thumbprint, serial number, subject key identifier work) work. I finally export a .cer file and get a hash from that as noted in the article. This seemed to work (even though the private key did not export to the file). Next issue: add /k (easy, I found a 'Container Name' field in the private key section of the SafeNet app).
ERROR: The token password is never requested and I get "Provider could not perform the action since the context was acquired as silent." Note that if I use this csp with SHA1CryptoServiceProvider.SignHash I get the same error IF CspProviderFlags.NoPrompt is used on the parameter, otherwise I get a prompt.
Providing a command line password does not change the outcome. I know the cert works if I allow the UI prompt because I can sign and verify the hash (tweaked https://stackoverflow.com/questions/43128705/c-sharp-usb-etoken-signature-and-validation-issue answer to match my cert). It just doesn't work with the 'sign' tool.
I'm stuck. Has anyone successfully used this tool with a SafeNet eToken that requires a token password? The AI answer says I'm doing this correctly (export .cer from SafeNet to get a cfp), but I am getting errors instead of seeing the password popup.
The sign tool can be used to sign VSIX packages with a SafeNet eToken that requires a token password. The cfp argument can be obtained by exporting the certificate to a .cer file and using PowerShell to get the SHA-256 fingerprint. The csp argument can be set to "eToken Base Cryptographic Provider" and the k argument can be set to the container name of the private key. If the token password is not being requested, it is possible that the cfp argument is incorrect.
sign code certificate-store -cfp <SHA-256 fingerprint> -csp "eToken Base Cryptographic Provider" -k <container name> -d "VSIX Signature" -t "http://timestamp.acs.microsoft.com/" "C:\Users\Contoso\Downloads\FingerSnapper2022.vsix"
References:
There is currently no way to do this, which is a major hole given that the recently posted article to use 'sign' has an example that uses an eToken device.
I have submitted a pull request at https://github.com/dotnet/sign/pull/757 to add a upk (user-protected-key) to turn off the always-added 'Silent' flag sent to the provider, thereby allowing the user to provide a token password.