You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Tamper the signed package by adding/removing/modifying a file in the package, but leave .signature.p7s intact.
Create a project with a ProjectReference to the signed package.
Restore the project with a package source that contains the tampered package.
Results
Install for the tampered package is attempted multiple times (for different RID's) and all the output, warnings, and errors are repeated for each install.
Example
C:\repro>NuGet.exe restore C:\repro\project.csproj -Source C:\repro\source --debug
MSBuild auto-detection: using msbuild version '16.200.19.26402' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Preview\MSBuild\Current\bin'.
Restoring packages for C:\repro\project.csproj...
Installing X 9.0.0.
Package 'X 9.0.0' from source 'C:\repro\source': Signature Hash Algorithm: SHA256
NU3008: Package 'X 9.0.0' from source 'C:\repro\source': The package integrity check failed.
WARNING: NU3027: Package 'X 9.0.0' from source 'C:\repro\source': The signature should be timestamped to enable long-term signature validity after the certificate has expired.
Package 'X 9.0.0' from source 'C:\repro\source': Signature type: Author
Package 'X 9.0.0' from source 'C:\repro\source': Verifying the author primary signature with certificate:
Subject Name: CN=NuGetTest-7bce06de-c693-441f-bed3-a6527d0ff019
SHA1 hash: FE1EDCB45B98AE9977663D88C5CCEEE11E58FF4D
SHA256 hash: 8C45915D4D809DD86034DD9A53F0CED1669853C5299663AB3290CE4AACF91B9D
Issued by: CN=NuGetTest-7bce06de-c693-441f-bed3-a6527d0ff019
Valid from: 5/31/2019 10:36:08 AM to 5/31/2019 11:36:08 AM
WARNING: NU3037: Package 'X 9.0.0' from source 'C:\repro\source': The author primary signature validity period has expired.
Installing X 9.0.0.
Package 'X 9.0.0' from source 'C:\repro\source': Signature Hash Algorithm: SHA256
NU3008: Package 'X 9.0.0' from source 'C:\repro\source': The package integrity check failed.
WARNING: NU3027: Package 'X 9.0.0' from source 'C:\repro\source': The signature should be timestamped to enable long-term signature validity after the certificate has expired.
Package 'X 9.0.0' from source 'C:\repro\source': Signature type: Author
Package 'X 9.0.0' from source 'C:\repro\source': Verifying the author primary signature with certificate:
Subject Name: CN=NuGetTest-7bce06de-c693-441f-bed3-a6527d0ff019
SHA1 hash: FE1EDCB45B98AE9977663D88C5CCEEE11E58FF4D
SHA256 hash: 8C45915D4D809DD86034DD9A53F0CED1669853C5299663AB3290CE4AACF91B9D
Issued by: CN=NuGetTest-7bce06de-c693-441f-bed3-a6527d0ff019
Valid from: 5/31/2019 10:36:08 AM to 5/31/2019 11:36:08 AM
WARNING: NU3037: Package 'X 9.0.0' from source 'C:\repro\source': The author primary signature validity period has expired.
Committing restore...
Generating MSBuild file C:\repro\obj\project.csproj.nuget.g.props.
Writing assets file to disk. Path: C:\repro\obj\project.assets.json
Restore failed in 10.94 min for C:\repro\project.csproj.
Errors in C:\repro\project.csproj
NU3008: Package 'X 9.0.0' from source 'C:\repro\source': The package integrity check failed.
NU3008: Package 'X 9.0.0' from source 'C:\repro\source': The package integrity check failed.
NuGet Config files used:
C:\repro\NuGet.Config
C:\Users\dtivel\AppData\Roaming\NuGet\NuGet.Config
C:\Program Files (x86)\NuGet\Config\Microsoft.VisualStudio.Offline.config
Feeds used:
C:\repro\source
Installed:
1 package(s) to C:\repro\project.csproj
Notes
Test Restore_TamperedPackage_FailsAsync started failing recently here for this reason. Tests Restore_PackageWithCompressedSignature_WarnAsError_FailsAndDoesNotExpandAsync and Restore_PackageWithCompressedSignature_RequireMode_FailsAndDoesNotExpandAsync also failed for this issue.
The output reports 1 package installed, which also seems incorrect.
The text was updated successfully, but these errors were encountered:
dtivel
changed the title
Signing: attempting to install a tampered signed package performs multiple failed installs (with duplicate output)
Restore: installing a tampered signed package results in multiple failed install attempts (with repeated output)
May 31, 2019
Repro steps
Results
Install for the tampered package is attempted multiple times (for different RID's) and all the output, warnings, and errors are repeated for each install.
Example
Notes
Restore_TamperedPackage_FailsAsync
started failing recently here for this reason. TestsRestore_PackageWithCompressedSignature_WarnAsError_FailsAndDoesNotExpandAsync
andRestore_PackageWithCompressedSignature_RequireMode_FailsAndDoesNotExpandAsync
also failed for this issue.The text was updated successfully, but these errors were encountered: