Skip to content

Signatures contain incorrect content type for VSIX files with Override specified in the Media Types stream #97

New issue
New issue
Open
Open
Signatures contain incorrect content type for VSIX files with Override specified in the Media Types stream#97
@dpaquette

Description

@dpaquette
dpaquette
opened on Feb 7, 2025

When signing a VSIX package contains Override elements in the [Content_Types].xml file, the generated signature manifest will often use the wrong content type for the overriden part name. This causes signature verification to fail because the content type is compared for each part in the manifest.

As an example, for a VSIX containing a file named /node_modules/ws/LICESNSE, and an override <Override PartName="/node_modules/ws/LICENSE" ContentType="text/plain" />, the signature will incorrectly identify the content type for /node_modules/ws/LICESNSE as application/octet-stream. As a result, the signature cannot be validated due to a mismatch in content type (See Line 183 here)

Expected Content Type Logic

According to the Opc spec,

To get the media type of a part, the package implementer shall perform the following steps:
a) Compare the part name with the values specified for the PartName attribute of the Override
elements. The comparison shall be ASCII case-insensitive matching.
b) If there is an Override element with a matching PartName attribute, return the value of its
ContentType attribute. No further action is required.
c) If there is no Override element with a matching PartName attribute, then

  1. Get the extension from the part name by taking the substring to the right of the rightmost
    occurrence of the dot character (“.”) from the rightmost segment.
  2. Check the Default elements of the Media Types stream, comparing the extension with the
    value of the Extension attribute. The comparison shall be ASCII case-insensitive
    matching.

d) If there is a Default element with a matching Extension attribute, return the value of its
ContentType attribute. No further action is required.
NOTE Given a conformant package, either an Override element is found by step b) or a Default element is found by
step c).

Current Content Type Logic

Current logic for determining content type is looking for a matching extension entry. If there is no match, then the default application\octet-stream is used. Overrides are not being considered

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions