Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XPlat Signing and verification for dotnet core & mono #7939

Closed
2 tasks
rrelyea opened this issue Apr 1, 2019 · 14 comments
Closed
2 tasks

XPlat Signing and verification for dotnet core & mono #7939

rrelyea opened this issue Apr 1, 2019 · 14 comments
Assignees
@heng-liu
Labels
Epic Functionality:Signing Priority:2 Issues for the current backlog. Type:DCR Design Change Request
Milestone
Sprint 2021-07

Comments

@rrelyea
Copy link
Contributor

rrelyea commented Apr 1, 2019
edited by zkat
Loading

This epic covers the work needed in order to fully port NuGet's package signing and verification features to all platforms, including mono, as well as the dotnet command itself.
The dotnet APIs have specific XPLAT behaviors that we need to address when tackling signing and verification XPLAT. This will mean either document known behavior or do functional changes in specific platforms.

Some things are:

  • X509RevocationMode.Offline is not supported on macOS
  • OSCP are not supported in Linux

More info: https://github.com/dotnet/corefx/blob/master/Documentation/architecture/cross-platform-cryptography.md

Note: Make sure to read the document before implementing since it might change.

There is an initial PR and a summary of remaining work in that PR over at NuGet/NuGet.Client#2706
@dtivel dtivel mentioned this issue Apr 9, 2019
Open
@clairernovotny
Copy link

Note this PR shows it working: NuGet/NuGet.Client#2545

There are a couple of comments in there w.r.t. a ComputeSignature overload that needs to be changed as well.

@dtivel dtivel mentioned this issue Apr 22, 2019
Closed
@heng-liu heng-liu added the Epic label Apr 23, 2019
@dtivel dtivel mentioned this issue Apr 25, 2019
Merged
@bruno-garcia
Copy link

Any update on this? We've got a certificate laying around since August last year but having to get a Windows VM just to run the signing (Thanks @onovotny for SignService) is not ideal.

@karann-msft
Copy link
Contributor

karann-msft commented Jul 12, 2019
edited
Loading

hey @bruno-garcia - we are actively working on this.

image

@bruno-garcia
Copy link

Highly appreciated!

@nkolev92 nkolev92 mentioned this issue Jul 24, 2019
Merged
@karann-msft karann-msft changed the title Work on xplat verification / signing for dotnet core & mono Support package verification / signing for dotnet core & mono (xplat) Aug 13, 2019
@karann-msft karann-msft mentioned this issue Sep 26, 2019
Closed
@zkat zkat self-assigned this Jan 2, 2020
@zkat zkat mentioned this issue Jan 3, 2020
Closed
@zkat zkat assigned zkat and unassigned zkat Jan 4, 2020
@zkat zkat changed the title Support package verification / signing for dotnet core & mono (xplat) XPlat Signing and verification for dotnet core & mono Jan 6, 2020
This was referenced Jan 6, 2020
Closed
Closed
@aortiz-msft aortiz-msft added this to the Sprint 176 - 2020.09.07 milestone Sep 8, 2020
@alanreyesv alanreyesv mentioned this issue Jan 27, 2021
Closed
@frivard-coveo
Copy link

I notice the milestone Sprint has been bumped from month to month for a whole year now; for a security feature this is quite unusual.
@aortiz-msft Can you please share an update about this? With some recent attack using public package repositories, it is getting urgent that our company-internal package are properly secured.

@Zastai
Copy link

Zastai commented Feb 26, 2021
edited by heng-liu
Loading

If this is really an Epic, could there at least be an effort to keep its composing issues linked here?
The best we seem to have had is a (now outdated) screenshot.

@tdykstra tdykstra mentioned this issue Mar 11, 2021
Closed
@heng-liu
Copy link
Contributor

heng-liu commented Aug 2, 2021

There is no work left for xplat signing and verification for dotnet core based on the current plan.
Pls refer to the following documents for xplat signing and verification related commands:
https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-verify
https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-trust
https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-sign

For Mono, currently there is no plan for enabling signing and verification.

@heng-liu heng-liu closed this as completed Aug 2, 2021
@raffaeler
Copy link

@heng-liu The docs do not mention how to sign on Ubuntu (which is the default for GitHub actions).
Should I create the pfx from the base64 and then use the file command line? Suggested tooling?
To avoid reinventing the wheel, could you please add here (and then in the docs) the relevant details please?

@heng-liu
Copy link
Contributor

Hi @raffaeler , thanks for your question!
May I know what's the original format of the cert you have on Ubuntu?
Or could you check if any command in page https://www.openssl.org/docs/man1.1.0/man1/openssl-pkcs12.html is helpful?
Can you please let us know if you find out any workable commands? Thanks!

@raffaeler
Copy link

Thank you @heng-liu
I got the certificate from DigiCert. I installed it on Windows certification store but I also downloaded the .crt which is the usually preferred method on Linux.

I would ask you to publish the exact commands to be added to the GitHub actions when an Ubuntu machine is used.
I believe this is a very popular use-case as Nuget is pushing towards signing the packages.

@frivard-coveo
Copy link

The dotnet-nuget-sign command expects a PFX file, which is quite uncommon on Linux-based systems. In my case I see PEM files in our infrastructure.
I found the following Stack Overflow answer which might be very useful : https://stackoverflow.com/a/808742/15480824
Basically, the OpenSSL tool can be used to combine a CRT and a PEM file into a PFX file.

This seems like an unfortunate workaround, since the .NET Core libraries now support working with formats other than PFX. But the nuget sign command does not seem to have been updated.

@raffaeler
Copy link

Thank you very much @frivard-coveo
In may personal case I can export the pfx from Windows and encode using base64 ubuntu utility from WSL, put it in the GitHub secrets and decode it in the GitHub action.

But I am very worried for the missing pieces (both in the tool and the documentation) for the Linux scenario given that now is so popular (and the default on GitHub actions).

I kindly ask @heng-liu to provide some kind of feedback about the missing pieces and hope they will soon filled in.

@janstaelensskyline
Copy link

Did someone ever get this working? dotnet-nuget-sign with a pfx file on a github action running on Ubuntu?
We've been unable to get it running nor have we found any clear documentation on how to get the signing to work.
Even when providing a pfx file containing the full chain we get the errors:
error: NU3018: PartialChain: unable to get local issuer certificate
error: NU3018: Certificate chain validation failed.

@ghost
Copy link

ghost commented May 22, 2023

Did someone ever get this working? dotnet-nuget-sign with a pfx file on a github action running on Ubuntu? We've been unable to get it running nor have we found any clear documentation on how to get the signing to work. Even when providing a pfx file containing the full chain we get the errors: error: NU3018: PartialChain: unable to get local issuer certificate error: NU3018: Certificate chain validation failed.

@janstaelensskyline looks like you need to open a new or link an existing ticket for the missing pieces - #7939 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@heng-liu heng-liu

Labels
Epic Functionality:Signing Priority:2 Issues for the current backlog. Type:DCR Design Change Request
Projects
None yet
Milestone
Sprint 2021-07
Development

No branches or pull requests