Skip to content

[Bug]: Validate Authenticode signatures of STS binaries after download and extraction #21685

New issue
New issue
Open
#21698
Open
[Bug]: Validate Authenticode signatures of STS binaries after download and extraction#21685
#21698
Assignees
kburtram
Labels
Area - ShellBugUser-filedFiled by a public user
Milestone
April 2026 Release
@kburtram

Description

@kburtram
kburtram
opened on Mar 19, 2026

Description

Validate Authenticode signatures of STS binaries after download and extraction

The extension currently downloads the SQL Tools Service ZIP from GitHub and extracts it locally before use. After extraction, it should validate the Authenticode signatures of the extracted STS binaries before allowing the service to start.

This is a defense-in-depth measure to ensure the downloaded payload has a valid Microsoft signature and has not been tampered with.

Implementation details

In the service downloader flow, after the ZIP has been downloaded and extracted, add a verification step that checks the Authenticode signature of each required binary.

For example, maintain a list of binaries that must be present and must be signed by the expected publisher:

const requiredSignedBinaries = [
  {
    fileName: "MicrosoftSqlToolsServiceLayer.exe",
    expectedPublisher: "Microsoft Corporation",
    // optional: expectedThumbprint: "<thumbprint>"
  },
  {
    fileName: "MicrosoftSqlToolsCredentials.exe",
    expectedPublisher: "Microsoft Corporation",
    // optional: expectedThumbprint: "<thumbprint>"
  },
  {
    fileName: "SqlToolsResourceProviderService.exe",
    expectedPublisher: "Microsoft Corporation",
    // optional: expectedThumbprint: "<thumbprint>"
  },
  {
    fileName: "MicrosoftSqlToolsServiceLayer.dll",
    expectedPublisher: "Microsoft Corporation",
    // optional: expectedThumbprint: "<thumbprint>"
  },
  // add any other service-layer executables / DLLs that are launched or security-sensitive
];

For each file in that list:

  1. Build the absolute path under the extracted STS install directory.
  2. Verify the file exists.
  3. Validate its Authenticode signature.
  4. Confirm the signature is valid.
  5. Confirm the certificate chains successfully to a trusted root.
  6. Confirm the signer/publisher matches the expected publisher (Microsoft Corporation).
  7. Optionally, for stricter validation, also confirm the signing certificate thumbprint matches an expected value.

If any required binary is missing or fails validation:

  1. delete the extracted service directory, or at minimum delete the downloaded payload and extracted binaries
  2. fail the install / acquisition flow
  3. surface a clear error message indicating that signature validation failed and the service was not installed

Important note

It is not sufficient to check only that a file is signed. The validation must confirm that the signer matches the expected publisher, so that a binary signed by some other trusted publisher is still rejected.

If we want even stricter validation, we can pin the expected signing certificate thumbprint in addition to the publisher name. That would reduce the risk of accepting a binary signed by an unexpected Microsoft certificate, but it would also require maintenance when certificates rotate.

Expected behavior

Valid STS packages signed by Microsoft install normally.

Tampered, unsigned, invalidly signed, or unexpectedly signed binaries are rejected before the service starts.

The user gets a clear failure message instead of a later startup failure.

Acceptance criteria

After STS ZIP download and extraction, the downloader validates Authenticode signatures for all required binaries.

  • Validation happens before any STS process is launched.

  • Install fails if any required binary is missing, unsigned, invalidly signed, or signed by an unexpected publisher.

  • The expected signer for required binaries is Microsoft Corporation.

  • On failure, downloaded / extracted STS files are removed.

  • A clear error is logged and surfaced to the user.

  • Unit tests cover:

    • all binaries present and valid
    • missing required binary
    • invalid signature
    • unexpected signer/publisher
    • cleanup on failure

Example failure message

SQL Tools Service installation failed because one or more downloaded binaries did not pass Microsoft signature validation. The downloaded files were removed for safety.

A slightly stricter version would be:

const requiredSignedBinaries = [
  {
    fileName: "MicrosoftSqlToolsServiceLayer.exe",
    expectedPublisher: "Microsoft Corporation",
    expectedThumbprint: "<known thumbprint>"
  }
];

Steps to Reproduce

  1. Install VSIX

Expected: Binaries have signature checked following download

Affected Area

  • Connection dialog (SQL Server | Azure browse/Fabric browse)
  • Query editor
  • Query results panel
  • Object Explorer
  • GitHub Copilot integration
  • Preview/Edit data
  • Table Designer
  • Schema Designer
  • Schema Compare
  • Local SQL Server Container provisioning
  • SQL database in Fabric provisioning
  • DACPAC/BACPAC export/import
  • SQL Database projects
  • Query Plan Visualizer
  • Other (please describe below)

If you selected "Other", please describe the affected area

No response

Environment Information

Latest

Confirmation

  • I have searched existing issues and couldn't find a match
  • I want to work on this issue

Metadata

Metadata

Assignees

Labels

Area - ShellBugUser-filedFiled by a public user

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions