-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XPlat Signing and verification for dotnet core & mono #7939
Comments
Note this PR shows it working: NuGet/NuGet.Client#2545 There are a couple of comments in there w.r.t. a |
Any update on this? We've got a certificate laying around since August last year but having to get a Windows VM just to run the signing (Thanks @onovotny for SignService) is not ideal. |
hey @bruno-garcia - we are actively working on this. |
Highly appreciated! |
I notice the milestone Sprint has been bumped from month to month for a whole year now; for a security feature this is quite unusual. |
There is no work left for xplat signing and verification for dotnet core based on the current plan. For Mono, currently there is no plan for enabling signing and verification. |
@heng-liu The docs do not mention how to sign on Ubuntu (which is the default for GitHub actions). |
Hi @raffaeler , thanks for your question! |
Thank you @heng-liu I would ask you to publish the exact commands to be added to the GitHub actions when an Ubuntu machine is used. |
The dotnet-nuget-sign command expects a PFX file, which is quite uncommon on Linux-based systems. In my case I see PEM files in our infrastructure. This seems like an unfortunate workaround, since the .NET Core libraries now support working with formats other than PFX. But the nuget sign command does not seem to have been updated. |
Thank you very much @frivard-coveo But I am very worried for the missing pieces (both in the tool and the documentation) for the Linux scenario given that now is so popular (and the default on GitHub actions). I kindly ask @heng-liu to provide some kind of feedback about the missing pieces and hope they will soon filled in. |
Did someone ever get this working? dotnet-nuget-sign with a pfx file on a github action running on Ubuntu? |
@janstaelensskyline looks like you need to open a new or link an existing ticket for the missing pieces - #7939 (comment) |
This epic covers the work needed in order to fully port NuGet's package signing and verification features to all platforms, including mono, as well as the dotnet command itself.
The dotnet APIs have specific XPLAT behaviors that we need to address when tackling signing and verification XPLAT. This will mean either document known behavior or do functional changes in specific platforms.
Some things are:
More info: https://github.com/dotnet/corefx/blob/master/Documentation/architecture/cross-platform-cryptography.md
Note: Make sure to read the document before implementing since it might change.
There is an initial PR and a summary of remaining work in that PR over at NuGet/NuGet.Client#2706
The text was updated successfully, but these errors were encountered: