Support Azure Trusted Signing certificate on NuGet.org account settings #10027
Comments
|
@jozefizso thanks for reaching out. Could you please include details of what feature or change you are proposing? Thanks! |
|
The Gallery should support the code signatures made by Azure Trusted Signing. It is unfeasible to upload new signature to Gallery each three days to get the verified badge. |
joelverhagen
added
Area: Gallery UI
Area: Validation
feature-request
|
Thanks for opening the issue @jozefizso. I agree using Trusted Signing with NuGet.org is a painful process today. You need to extract the .cer file from your signed artifact (or get it from Trusted Signing directly, perhaps) and then manually upload it to your account profile on NuGet.org. For my own experiments I created a CLI tool to extract the .cer file and include it as a GitHub Actions artifact. This is better than nothing, but not much better! |
|
I would nice if we could get a new option to specify the
And then when we upload the NuGet package the server checks if this matches and also checks if the signing of the package is done by the right authority. |
joelverhagen
changed the title
|
Supporting the Subscriber identity validation EKU as @dlemstra points out would be durable over all certificate rotations/renewals. Here is the public docs on these values: https://learn.microsoft.com/en-us/azure/trusted-signing/concept-trusted-signing-cert-management#subscriber-identity-validation-eku. |
|
This problem is currently impacting Git Credential Manager that ships a NuGet package that's signed by Azure Trusted Signing – would love to see some support for these sorts of certificates/signed packages, and a solution that is durable over all of the short-lived certs. |
@joelverhagen is the & "bin\Sign.Cli\sign.exe" something that you have created? can you share it? or do you have any pointers how to get nuget sign with trusted service? or are you using dotnet/sign#716 |
|
The |
|
yep, just getting to that conclusion also, there are a few cli options changed but pretty much what im looking for... thank you |
|
And those options might still change because the PR is still being reviewed by the team. |
|
Yep important is the sign functionality itself if that works we can start integrating it already |
|
@dlemstra is spot on. I have a private build of sign CLI used in the pipeline links above. But to be clear this GitHub issue tracks better support of Trusted Signing on NuGet.org (verification of signing at push time in NuGet.org) and not the sign flow which is tracked by dotnet/sign#683. |
|
Has anyone seen issues where the validation fails with sign cli and trusted signing. I'm extracting out the certificate using @joelverhagen tool I can see the valid certificate in the nuget package explorer tool seeing I have got the SHA1/256 hash and confirmed its there, and in the cert area it's showing microsoft signing there like its picked up and processed the cert. I have tried the sign cli experimental version, jsign client, signtool as recommended in the docs and all producing the same results. |
|
no problems so far, you could try this (assuming u have done az login and your account has permissions) dotnet tool install --global AzureTrustedSignTool that signs the packages and generates a .cer next to each nuget. so you can upload both at same time. So far no problems with this approach. |
|
@jmecosta I think its some sort of special rules for my package rather than a trusted signing process issue. Eg having some packages get published (with the same single owner) and some not. Splat had the DotNetFoundation as a owner and I know there are special rules for DNF owned packages, also its in a reserved space. I suspect it's more rules around that rather than a legitimate certificate failure given the intermitient results about which ones pass (nupkg that never were owned by the DotNetFoundation user get published) I have used the same steps you have used above effectively. |
|
Interesting I've never notice certificate bounded to package names. |
|
@glennawatson i can confirm this also, ive just experience the same. the account is shared, and ive uploaded the CER file with my account and the other user was not able to publish the nuget... he then re-upload the CER to his account and was able to do so. so conclusion is that the ones uploading the nugets need to have the CER files uploaded also |
|
@jmecosta, @glennawatson, @mjcheetham - folks, thank you for your input so far in this issue. @dlemstra has opened a proposal design to address this NuGet.org limitation. Any input you have for Dirk and our team would be most appreciated over on the proposal PR: NuGet/Home#13791! |
NuGet Product(s) Involved
Other/NA
The Elevator Pitch
The Azure Trusted Signing service rotates the managed authenticode certificates each three days.
As the NuGet Gallery requires to specify a single, long lived certificate, it is not feasible to sign nuget packages with the ATS.
Additional Context and Details
@dlemstra has authored a proposal design to fix this problem: NuGet/Home#13791
The text was updated successfully, but these errors were encountered: