-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strip NuGet.org signatures from downloaded nupkg files #326345
Comments
I have a big change I've been working on that is essentially doing your step 3, and maybe some of step 2? What I have:
The branch is here if you want to take a look. It's still a bit rough: https://github.com/corngood/nixpkgs/tree/dotnet-unpacked-packages I've learned quite a bit about manually packing and unpacking packages, package directories vs. sources, restore vs tool restore vs paket, etc, etc. Ideally I'd like to get to the point where we can just automatically configure something like NUGET_FALLBACK_PACKAGES and not have any .nupkg files in the nix store at all, but there are various quirks in the tools that are blocking that. One consideration with repacking nupkgs is that unless they are uncompressed, runtime dependencies will be obfuscated. In my branch I've just kept the .nupkg files in the same outputs as the unpacked packages, which is now NUGET_PACKAGES is normally structured. It's also an annoying bit of redundancy. As for your step 1:
I haven't done any work on this yet, but it's something that's been on my mind. If we could get that done, I think it would simplify and speed up nuget-to-nix considerably, since it wouldn't have to search for a deterministic package source. It could even allow mirrors to be determined. |
Cool - it would cause mass rebuilds, but naively I'd just edit |
Do you know if it's just the Do you have any real examples of the same package existing on multiple sources? In my experience it happens most on the packages with lots of sources in nuget.config. |
I don't have any examples of packages existing simultaneously in multiple sources other than the trivial "I built this package locally" vs "I uploaded this package to nuget.org". (I don't think I've ever actually operated with multiple NuGet sources except in rather contrived situations where I was fully in control of the contents of most of the sources.) |
If you're not able to find one by the time you have something to test, I'll dig something up.
In my branch I'm planning on using This is a bit off topic, but my idea for that is something along the lines of:
|
By the way, the reason Basically, we should check empirically that the nondeterminism fix doesn't break |
|
it could be done in nuget-to-nix. once the hash is locked there, there should be no need to check it again. nuget-to-nix is going to need to figure out the deterministic hash of the package one way or another anyway. It might work offline if it has embedded public keys. I'm not sure how it works exactly. I'm not sure it's even reliably checking signatures currently. When I stripped the signatures I was able to build all of dotnet 8 VMR without any problem, but dotnet 9 complained about an invalid signature somewhere late in the build. |
In my mind the obvious place to put this would be straight in |
Sorry, I'm not all that familiar with content-addressed nix, so I think I slightly misunderstood how problems relate to each other. I'll try to explain the problem I've been trying to fix in some more detail:
In this situation
If we could make I guess this is more complex than what you were thinking, but it should also solve the CA problem. |
Right, I see. I believe my proposed change (see the draft #326785) does make |
Yup, just tested that empirically:
Then consumed it using the nixpkgs at #326785 (commit a6e32ac9bf59628fb17359d8f448161213d47cde), and observed that indeed the version that made it through
So as far as I have been able to test so far, that PR does indeed make the NuGet package source-independent. |
I still haven't been able to find any practical examples in nixpkgs of packages that are available from multiple sources. I think some of the places where it used to happen are now using |
Ah, here we go. In case this proves useful for something:
|
I also confirmed that the first package there has the same content when you remove the signature file from both versions. |
Next up:
|
Issue description
NuGet.org alters packages during upload by unzipping, adding a signature file to the zip, and re-zipping. This means no local Nix build of a NuGet package can possibly match the version pulled from nuget.org.
https://github.com/NixOS/nixpkgs/blob/8be517b5c9817f2122f27cf8000dda859747adc0/pkgs/build-support/dotnet/make-nuget-deps/default.nix defines how we pull NuGet dependencies.
Would you accept a PR that verifies the downloaded signature if possible (I don't yet know what
dotnet nuget verify
does, but it may be possible to get it to work in the sandbox), and then strips the signature filesignature.p7s
from NuGet.org-downloaded packages before writing the nupkg to the store? That way, in principle in a content-addressed Nix world, it would become possible to locally (reproducibly) build a NuGet package (after adjusting for the fact that NuGet packs are nondeterministic due to zip file timestamps) and have the result be equal to the one thatfetchNuget
gives you.(This is step 1 of my plan; step 2 would be "make
dotnet pack
reproducible, either here or upstream", and step 3 would be "demonstrate that a content-addressed Nix can skip downloading from NuGet if I've already built my nupkg locally".)Maintainers
@corngood is listed in CODEOWNERS; @tie has a bunch of commits that look .NET-specific and therefore might be interested.
The text was updated successfully, but these errors were encountered: