Add logging if we detect the app host is running with an untrusted dev cert

src/Aspire.Hosting/AspireEventSource.cs

@@ -370,4 +370,22 @@ public void StartResourceStop(string kind, string resourceName)
             WriteEvent(42, kind, resourceName);
         }
     }
+
+    [Event(43, Level = EventLevel.Informational, Message = "Development certificate trust check is starting...")]
+    public void DevelopmentCertificateTrustCheckStart()
+    {
+        if (IsEnabled())
+        {
+            WriteEvent(43);
+        }
+    }
+
+    [Event(44, Level = EventLevel.Informational, Message = "Development certificate trust check completed")]
+    public void DevelopmentCertificateTrustCheckStop()
+    {
+        if (IsEnabled())
+        {
+            WriteEvent(44);
+        }
+    }
 }

src/Aspire.Hosting/Dashboard/DashboardEventHandlers.cs

@@ -2,6 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 #pragma warning disable ASPIREFILESYSTEM001 // Type is for evaluation purposes only
+#pragma warning disable ASPIRECERTIFICATES001 // Type is for evaluation purposes only
 
 using System.Collections.Concurrent;
 using System.Diagnostics;
@@ -424,6 +425,7 @@ private void ConfigureAspireDashboardResource(IResource dashboardResource)
         if (otlpGrpcEndpointUrl != null)
         {
             var address = BindingAddress.Parse(otlpGrpcEndpointUrl);
+
             dashboardResource.Annotations.Add(new EndpointAnnotation(ProtocolType.Tcp, name: OtlpGrpcEndpointName, uriScheme: address.Scheme, port: address.Port, isProxied: true, transport: "http2")
             {
                 TargetHost = address.Host
@@ -433,6 +435,7 @@ private void ConfigureAspireDashboardResource(IResource dashboardResource)
         if (otlpHttpEndpointUrl != null)
         {
             var address = BindingAddress.Parse(otlpHttpEndpointUrl);
+
             dashboardResource.Annotations.Add(new EndpointAnnotation(ProtocolType.Tcp, name: OtlpHttpEndpointName, uriScheme: address.Scheme, port: address.Port, isProxied: true)
             {
                 TargetHost = address.Host
@@ -442,12 +445,45 @@ private void ConfigureAspireDashboardResource(IResource dashboardResource)
         if (mcpEndpointUrl != null)
         {
             var address = BindingAddress.Parse(mcpEndpointUrl);
+
             dashboardResource.Annotations.Add(new EndpointAnnotation(ProtocolType.Tcp, name: McpEndpointName, uriScheme: address.Scheme, port: address.Port, isProxied: true)
             {
                 TargetHost = address.Host
             });
         }
 
+        // Determine whether any HTTPS endpoints are configured
+        var hasHttpsEndpoint = dashboardResource.TryGetAnnotationsOfType<EndpointAnnotation>(out var endpoints) && endpoints.Any(e => e.UriScheme is "https");
+
+        if (hasHttpsEndpoint &&
+            !dashboardResource.HasAnnotationOfType<HttpsCertificateConfigurationCallbackAnnotation>())
+        {
+            // If the dashboard has an HTTPS endpoint and we haven't already applied an HTTPS certificate configuration (no HttpsCertificateConfigurationCallbackAnnotation),
+            // apply a default configuration with a valid trusted dev cert instance.
+            var developerCertificateService = executionContext.ServiceProvider.GetRequiredService<IDeveloperCertificateService>();
+            var trustDeveloperCertificate = developerCertificateService.TrustCertificate;
+            if (dashboardResource.TryGetLastAnnotation<CertificateAuthorityCollectionAnnotation>(out var certificateAuthorityAnnotation))
+            {
+                trustDeveloperCertificate = certificateAuthorityAnnotation.TrustDeveloperCertificates.GetValueOrDefault(trustDeveloperCertificate);
+            }
+
+            if (trustDeveloperCertificate)
+            {
+                dashboardResource.Annotations.Add(new HttpsCertificateConfigurationCallbackAnnotation(ctx =>
+                {
+                    // Ensure we use a trusted developer certificate (Kestrel selects the latest certificate, which may not be trusted after an SDK update).
+                    // There can be issues referencing an exported PEM key pair on MacOS, so we the PFX version of the certificate here.
+                    ctx.EnvironmentVariables["Kestrel__Certificates__Default__Path"] = ctx.PfxPath;
+                    if (ctx.Password is not null)
+                    {
+                        ctx.EnvironmentVariables["Kestrel__Certificates__Default__Password"] = ctx.Password;
+                    }
+
+                    return Task.CompletedTask;
+                }));
+            }
+        }
+
         dashboardResource.Annotations.Add(new ResourceUrlsCallbackAnnotation(c =>
         {
             var browserToken = options.DashboardToken;

src/Aspire.Hosting/Dcp/DcpHost.cs

@@ -10,12 +10,15 @@
 using Aspire.Hosting.ApplicationModel;
 using Aspire.Hosting.Dcp.Process;
 using Aspire.Hosting.Resources;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace Aspire.Hosting.Dcp;
 
 #pragma warning disable ASPIREINTERACTION001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+#pragma warning disable ASPIRECERTIFICATES001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+#pragma warning disable ASPIREFILESYSTEM001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
 
 internal sealed class DcpHost
 {
@@ -29,6 +32,9 @@ internal sealed class DcpHost
     private readonly IInteractionService _interactionService;
     private readonly Locations _locations;
     private readonly TimeProvider _timeProvider;
+    private readonly IDeveloperCertificateService _developerCertificateService;
+    private readonly IFileSystemService _fileSystemService;
+    private readonly IConfiguration _configuration;
     private readonly CancellationTokenSource _shutdownCts = new();
     private Task? _logProcessorTask;
 
@@ -48,7 +54,10 @@ public DcpHost(
         IInteractionService interactionService,
         Locations locations,
         DistributedApplicationModel applicationModel,
-        TimeProvider timeProvider)
+        TimeProvider timeProvider,
+        IDeveloperCertificateService developerCertificateService,
+        IFileSystemService fileSystemService,
+        IConfiguration configuration)
     {
         _loggerFactory = loggerFactory;
         _logger = loggerFactory.CreateLogger<DcpHost>();
@@ -58,11 +67,15 @@ public DcpHost(
         _locations = locations;
         _applicationModel = applicationModel;
         _timeProvider = timeProvider;
+        _developerCertificateService = developerCertificateService;
+        _fileSystemService = fileSystemService;
+        _configuration = configuration;
     }
 
     public async Task StartAsync(CancellationToken cancellationToken)
     {
         await EnsureDcpContainerRuntimeAsync(cancellationToken).ConfigureAwait(false);
+        await EnsureDevelopmentCertificateTrustAsync(cancellationToken).ConfigureAwait(false);
         EnsureDcpHostRunning();
     }
 
@@ -122,6 +135,63 @@ internal async Task EnsureDcpContainerRuntimeAsync(CancellationToken cancellatio
         }
     }
 
+    internal async Task EnsureDevelopmentCertificateTrustAsync(CancellationToken cancellationToken)
+    {
+        AspireEventSource.Instance.DevelopmentCertificateTrustCheckStart();
+
+        try
+        {
+            // If no resources use HTTPS/TLS, there's no need to warn about untrusted dev certificates.
+            if (!_applicationModel.Resources.Any(ResourceUsesTls))
+            {
+                return;
+            }
+
+            // Check and warn if no trusted dev certs exist, or if a newer untrusted cert was detected
+            var hasNewerUntrustedCert = _developerCertificateService.LatestCertificateIsUntrusted;
+            var hasNoTrustedCerts = _developerCertificateService.Certificates.Count == 0;
+
+            if (hasNoTrustedCerts || hasNewerUntrustedCert)
+            {
+                string title;
+                string message;
+
+                if (hasNoTrustedCerts)
+                {
+                    title = InteractionStrings.NoDeveloperCertificateTrustedTitle;
+                    message = InteractionStrings.NoDeveloperCertificateTrustedMessage;
+                    _logger.LogWarning("No trusted Aspire development certificate was found. See https://aka.ms/aspire/devcerts for more information.");
+                }
+                else
+                {
+                    title = InteractionStrings.DeveloperCertificateNotFullyTrustedTitle;
+                    message = InteractionStrings.DeveloperCertificateNotFullyTrustedMessage;
+                    _logger.LogWarning("The most recent development certificate isn't fully trusted. See https://aka.ms/aspire/devcerts for more information.");
+                }
+
+                // Check if the interaction service is available (dashboard enabled)
+                if (!_interactionService.IsAvailable)
+                {
+                    return;
+                }
+
+                // Send notification to the dashboard
+                _ = _interactionService.PromptNotificationAsync(
+                    title: title,
+                    message: message,
+                    options: new NotificationInteractionOptions
+                    {
+                        Intent = MessageIntent.Error,
+                    },
+                    cancellationToken: cancellationToken);
+            }
+        }
+        finally
+        {
+            AspireEventSource.Instance.DevelopmentCertificateTrustCheckStop();
+        }
+    }
+
     public async Task StopAsync()
     {
         _shutdownCts.Cancel();
@@ -474,6 +544,38 @@ private static bool IsContainerRuntimeHealthy(DcpInfo dcpInfo)
         var running = dcpInfo.Containers?.Running ?? false;
         return installed && running;
     }
+
+    /// <summary>
+    /// Determines whether a resource uses HTTPS/TLS by checking for HTTPS endpoint annotations
+    /// or active HTTPS certificate configuration callbacks that haven't been disabled.
+    /// </summary>
+    private static bool ResourceUsesTls(IResource resource)
+    {
+        // Check if the resource has any HTTPS endpoints
+        if (resource.Annotations.OfType<EndpointAnnotation>().Any(e => e.UriScheme is "https"))
+        {
+            return true;
+        }
+
+        // Check if the resource has an HTTPS certificate configuration callback that hasn't been
+        // disabled via WithoutHttpsCertificate(). HttpsCertificateAnnotation has no effect without
+        // HttpsCertificateConfigurationCallbackAnnotation, so it's only checked as a filter here.
+        if (resource.Annotations.OfType<HttpsCertificateConfigurationCallbackAnnotation>().Any())
+        {
+            // The callback is present. Check if it's been disabled by WithoutHttpsCertificate()
+            // which sets UseDeveloperCertificate = false and Certificate = null.
+            if (resource.TryGetLastAnnotation<HttpsCertificateAnnotation>(out var certAnnotation)
+                && certAnnotation.UseDeveloperCertificate is false or null
+                && certAnnotation.Certificate is null)
+            {
+                return false;
+            }
+
+            return true;
+        }
+
+        return false;
+    }
 }
 
 #pragma warning restore ASPIREINTERACTION001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.