-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dotnet tool update
skips NuGet package signature verification
#37469
Comments
Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue! If you believe this issue was closed out of error, please comment to let us know. Happy Coding! |
Reopening - we need to make sure the ToolInstaller classes use any prior NuGet configuration for signature validation. |
any updates? |
any updates? PS C:\Users\Administrator> dotnet tool install dotnet-dump --global
Skipping NuGet package signature verification.
PS C:\Users\Administrator>
PS C:\Users\Administrator> dotnet tool install dotnet-dump --global --verbosity detailed
[NuGet Manager] [Info] GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-dump/index.json
[NuGet Manager] [Info] OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-dump/index.json 958ms
[NuGet Manager] [Info] GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-dump/index.json
[NuGet Manager] [Info] OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-dump/index.json 221ms
[NuGet Manager] [Info] GET https://api.nuget.org/v3-flatcontainer/dotnet-dump/index.json
[NuGet Manager] [Info] OK https://api.nuget.org/v3-flatcontainer/dotnet-dump/index.json 824ms
[NuGet Manager] [Info] GET https://api.nuget.org/v3-flatcontainer/dotnet-dump/8.0.510501/dotnet-dump.8.0.510501.nupkg
[NuGet Manager] [Info] OK https://api.nuget.org/v3-flatcontainer/dotnet-dump/8.0.510501/dotnet-dump.8.0.510501.nupkg 20ms
Skipping NuGet package signature verification.
Tool 'dotnet-dump' was reinstalled with the stable version (version '8.0.510501').
PS C:\Users\Administrator>
PS C:\Users\Administrator> dotnet --info
.NET SDK:
Version: 8.0.201
Commit: 4c2d78f037
Workload version: 8.0.200-manifests.e575128c
Runtime Environment:
OS Name: Windows
OS Version: 10.0.22631
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\8.0.201\
.NET workloads installed:
[macos]
Installation Source: VS 17.9.34607.119
Manifest Version: 14.2.8004/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.macos\14.2.8004\WorkloadManifest.json
Install Type: FileBased
[maui-windows]
Installation Source: VS 17.9.34607.119
Manifest Version: 8.0.6/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.maui\8.0.6\WorkloadManifest.json
Install Type: FileBased
[maccatalyst]
Installation Source: VS 17.9.34607.119
Manifest Version: 17.2.8004/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.maccatalyst\17.2.8004\WorkloadManifest.json
Install Type: FileBased
[ios]
Installation Source: VS 17.9.34607.119
Manifest Version: 17.2.8004/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.ios\17.2.8004\WorkloadManifest.json
Install Type: FileBased
[android]
Installation Source: VS 17.9.34607.119
Manifest Version: 34.0.52/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.android\34.0.52\WorkloadManifest.json
Install Type: FileBased
[wasm-tools]
Installation Source: VS 17.9.34607.119
Manifest Version: 8.0.2/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.current\8.0.2\WorkloadManifest.json
Install Type: FileBased
Host:
Version: 8.0.2
Architecture: x64
Commit: 1381d5ebd2
.NET SDKs installed:
5.0.408 [C:\Program Files\dotnet\sdk]
6.0.419 [C:\Program Files\dotnet\sdk]
7.0.406 [C:\Program Files\dotnet\sdk]
8.0.200 [C:\Program Files\dotnet\sdk]
8.0.201 [C:\Program Files\dotnet\sdk]
.NET runtimes installed:
Microsoft.AspNetCore.All 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.32 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.27 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 7.0.16 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.32 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.27 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.1.32 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.27 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 7.0.16 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 8.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]
Environment variables:
DOTNET_ROOT [C:\Program Files\dotnet]
global.json file:
Not found
Learn more:
https://aka.ms/dotnet/info
Download .NET:
https://aka.ms/dotnet/download |
Thanks for reporting. I believe the change was introduced from #37311 and NuGet package signature verification should be added. I'm looking into this. |
Any update? This is kind of critical, and the fix stalled for 2 months, skipping the planned milestones. |
Fixes dotnet#37469 Add signature verifications for NuGet Tools
Describe the bug
dotnet tool update
skips NuGet package signature verification.To Reproduce
Example:
Further technical details
The text was updated successfully, but these errors were encountered: