Cannot install Microsoft Visual Studio 2017 Installer Projects due to invalid certificate

Question

I've been trying to install the Microsoft Visual Studio 2017 Installer Projects for VS 2017 Professional for some time now without success. First, I tried through the Extensions and Updates wizard within VS2017. It downloads correctly, but when I close VS to kick off the install if fails immediately with the following:

I then grabbed the VSIX from the Visual Studio Marketplace and tried to install it via the following command line:

VSIXInstaller InstallerProjects.vsix

This seemed to get me further, but also clued me into the certificates being the issue. Not how it says Digital Signature: Invalid Certificate :

After clicking through to continue the install, it fails and allows me to see the logs:

The logs seem to echo the certificate issue here:

10/17/2017 1:11:21 PM - Signature Details...
10/17/2017 1:11:21 PM -     Extension is signed with an invalid certificate
10/17/2017 1:11:21 PM -         (PartialChain)      : A certificate chain could not be built to a trusted root authority.
10/17/2017 1:11:21 PM -         (RevocationStatusUnknown): The revocation function was unable to check revocation for the certificate.
10/17/2017 1:11:21 PM -         (OfflineRevocation) : The revocation function was unable to check revocation because the revocation server was offline.

And here:

10/17/2017 1:15:30 PM - Certificate is invalid: InstallerProjects.vsix
10/17/2017 1:15:36 PM - Skipping Install of 'VSInstallerProjects,version=0.8.4' since downloading it failed.
10/17/2017 1:15:36 PM - Skipping cache of package 'VSInstallerProjects,version=0.8.4' since the package or a parent package had a vital failure.
10/17/2017 1:15:36 PM - Skipping cache of package 'Component.VSInstallerProjects,version=0.8.4' since the package or a parent package had a vital failure.
10/17/2017 1:15:47 PM - Install Error : Microsoft.VisualStudio.Setup.PackageFailureException: Package 'VSInstallerProjects' failed to download
   at Microsoft.VisualStudio.Setup.InstallOperation.Run(CancellationToken token)
   at Microsoft.VisualStudio.Setup.Engine.RunOperation(InstallOperation installOperation, CancellationToken token, ExecuteAction action, ITelemetryOperation telemetryOperation)
   at Microsoft.VisualStudio.Setup.Engine.RunCoreOperation(InstallOperation coreOperation, ExecuteAction action, ITelemetryOperation telemetryOperation, CancellationToken token)
   at Microsoft.VisualStudio.Setup.Engine.Install(Product product, String destination, CancellationToken token)
   at Microsoft.VisualStudio.ExtensionManager.ExtensionEngineImpl.PerformSetupEngineInstall(InstallableExtensionImpl extension, Boolean installPerMachine, Boolean isPackComponent, IDictionary`2 extensionsInstalledSoFar, List`1 extensionsUninstalledSoFar, IInstalledExtensionList modifiedInstalledExtensionsList, IProgress`1 progress, InstallFlags installFlags, AsyncOperation asyncOp, Version targetedVsVersion, IInstalledExtension& newExtension)
   at Microsoft.VisualStudio.ExtensionManager.ExtensionEngineImpl.InstallInternal(InstallableExtensionImpl extension, InstallFlags installFlags, IDictionary`2 extensionsInstalledSoFar, List`1 extensionsUninstalledSoFar, IInstalledExtensionList modifiedInstalledExtensionsList, AsyncOperation asyncOp, IProgress`1 progress, Version targetedVsVersion)
   at Microsoft.VisualStudio.ExtensionManager.ExtensionEngineImpl.BeginInstall(IInstallableExtension installableExtension, InstallFlags installFlags, AsyncOperation asyncOp, Version targetedVsVersion)
   at Microsoft.VisualStudio.ExtensionManager.ExtensionEngineImpl.InstallWorker(IInstallableExtension extension, InstallFlags installFlags, AsyncOperation asyncOp)

Any thoughts on what could be happening?

Answer 1

...because the revocation server was offline

It is not offline, it couldn't be contacted. Before a certificate can be trusted, the installer must first contact the CRL server. It is maintained by the certificate authority, one of the services you pay for when you buy a certificate yourself. The Certificate Revocation List server keeps a list of certificates that turned out to be bogus. That is not happening, a pretty serious problem that long-term can compromise the security of the machine. And fatal when first contacted, the VSIX installer appropriately fails the install.

A TechNet article with troubleshooting hints is here . Do make this a problem for IT staff, they need to know that they are maintaining insecure machines. And are probably responsible for this issue in the first place.

Answer 2

After a lot of effort to resolve this, we installed this package on an internet-connected computer to see what gets installed.

anyways, please follow the article https://docs.microsoft.com/en-us/visualstudio/install/install-certificates-for-visual-studio-offline

to install the needed certificates. after doing so, we realized that one more certificate is missing !

Microsoft Code Signing PCA 2010

after installing everything, export the certificates and install them on the offline computer.

this solution worked out for us.

Answer 3

In windows 10 I believe there is app settings that dictate whether or not you can install apps that are signed by an unknown signature, etc. Have you checked to make sure that these aren't locked down to only allow installs from the Microsoft App Store?

I think this applies:

https://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx

I have also seen issues where I have old certificate chains stuck on a specific AD user and was able to resolve them by clearing some of the certs and trying again.

I would also try installing it with any antivirus disabled etc.

This thread seems relevant, I would not use the first suggestion of disabling CRLF revcheck without trying some of the later comments first.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/348a9b8d-8583-488c-9a96-42b892c4ae77/revocation-server-offline?forum=winserversecurity

Answer 4

For problems with Certificate validation for Visual Studio, it is possible that certificates has gone stale.

Here is how you can synchronize your certificates with Windows 10 using Windows Update and certutil. The commands are to be run with Powershell.

mkdir c:\certs #temporary folder where the certificates will be installed/updated
cd c:\certs 
certutil.exe -generateSSTFromWU roots.sst
$sstStore = ( Get-ChildItem -Path C:\certs\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

I got a crash installing Votive (Windows Installer XML / Wix Visual Studio Extension) because of certificate did not validate on my computer. The reason was one certificate had gone stale (out of date). The SST file can be opened in MMC if you want to install just a single certificate for example.