Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing: on Linux, verify untrusted certificates give unknown revocation doesn't affect the correctness of our code. #8044

Closed
heng-liu opened this issue Apr 22, 2019 · 6 comments
Closed

Signing: on Linux, verify untrusted certificates give unknown revocation doesn't affect the correctness of our code. #8044

heng-liu opened this issue Apr 22, 2019 · 6 comments
Assignees
@kartheekp-ms
Labels
Functionality:Signing Priority:2 Issues for the current backlog.
Milestone
Sprint 169 - 2020...

Comments

@heng-liu
Copy link
Contributor

On linux, untrusted certificates also give unknown revocation. We need to make sure this is by design and it doesn't affect the correctness of our code.

This is one of the breakdown tasks from NuGet/NuGet.Client#2706
@heng-liu heng-liu added this to the 5.1 milestone Apr 22, 2019
@heng-liu heng-liu self-assigned this Apr 22, 2019
@heng-liu heng-liu modified the milestones: 5.1, 5.2 Apr 25, 2019
@zivkan zivkan modified the milestones: 5.2, 5.3 Jul 1, 2019
@rrelyea rrelyea modified the milestones: 5.3, 5.4 Aug 21, 2019
@rrelyea rrelyea modified the milestones: 5.4, Backlog Oct 31, 2019
@zkat zkat added Epic and removed Epic labels Jan 6, 2020
@zkat zkat removed this from the Backlog milestone Jan 6, 2020
@zkat zkat self-assigned this Jan 29, 2020
@zkat
Copy link
Contributor

zkat commented Jan 29, 2020

I don't really understand what this task is referring to or where to look. Any pointers, @dtivel @heng-liu?

@heng-liu
Copy link
Contributor Author

Asked for Damon's suggestion before, as follows:

You need to verify that the extra error (unknown revocation) does not affect our verification result on Linux as compared with Windows.

It may be that enabling all our package signing tests on Linux may give you the verification you need. I'm not confident of this without knowing how good our coverage is of untrusted certificates.

@zkat
Copy link
Contributor

zkat commented Jan 29, 2020

Sounds like we need to wait until the rest of the stuff is enabled to see what to do about this one. I'll drop it for now, then. Thanks, Heng!

@zkat zkat removed their assignment Jan 29, 2020
@zkat zkat removed this from the Sprint 165 - 2020.01.20 milestone Jan 29, 2020
@heng-liu
Copy link
Contributor Author

You may see the different behaviors from CertificateChainUtilityTests.GetCertificateChain_WithUntrustedRoot_Throws

@kartheekp-ms kartheekp-ms self-assigned this Feb 10, 2020
@kartheekp-ms kartheekp-ms added this to the Sprint 166 - 2020.02.10 milestone Feb 10, 2020
@zkat zkat added the Priority:2 Issues for the current backlog. label Feb 25, 2020
@kartheekp-ms
Copy link
Contributor

kartheekp-ms commented Apr 16, 2020
edited
Loading

When untrusted certificates are used, observed that on netcoreapp5.0 the behavior is consistent between Windows and Linux. Chain build logic on an untrusted root in netcoreapp5.0 and net472 will raise untrustedroot, revocationstatusunknow, offlinerevocation warnings where as on Linux in netcore2.1 and netcore3.1 untrustedroot, offlinerevocation warnings are raised.

@kartheekp-ms
Copy link
Contributor

Unit tests in CertificateChainUtilityTests.cs are referred while working on this issue.

@Zastai Zastai mentioned this issue Feb 26, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kartheekp-ms kartheekp-ms

Labels
Functionality:Signing Priority:2 Issues for the current backlog.
Projects
None yet
Milestone
Sprint 169 - 2020.04.13
Development

No branches or pull requests
7 participants
@zkat @nkolev92 @zivkan @rrelyea @heng-liu @kartheekp-ms @aortiz-msft