Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restore: installing a tampered signed package results in multiple failed install attempts (with repeated output) #8175

Closed
dtivel opened this issue May 31, 2019 · 2 comments · Fixed by NuGet/NuGet.Client#2867
Closed

Restore: installing a tampered signed package results in multiple failed install attempts (with repeated output) #8175

dtivel opened this issue May 31, 2019 · 2 comments · Fixed by NuGet/NuGet.Client#2867
Assignees
@dtivel
Labels
Functionality:Restore Functionality:Signing Type:Bug
Milestone
5.2

Comments

@dtivel
Copy link
Contributor

dtivel commented May 31, 2019
edited
Loading

Repro steps

  1. Create a signed package.
  2. Tamper the signed package by adding/removing/modifying a file in the package, but leave .signature.p7s intact.
  3. Create a project with a ProjectReference to the signed package.
  4. Restore the project with a package source that contains the tampered package.

Results
Install for the tampered package is attempted multiple times (for different RID's) and all the output, warnings, and errors are repeated for each install.

Example

C:\repro>NuGet.exe restore C:\repro\project.csproj -Source C:\repro\source --debug
MSBuild auto-detection: using msbuild version '16.200.19.26402' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Preview\MSBuild\Current\bin'.
Restoring packages for C:\repro\project.csproj...
Installing X 9.0.0.
Package 'X 9.0.0' from source 'C:\repro\source': Signature Hash Algorithm: SHA256
NU3008: Package 'X 9.0.0' from source 'C:\repro\source': The package integrity check failed.
WARNING: NU3027: Package 'X 9.0.0' from source 'C:\repro\source': The signature should be timestamped to enable long-term signature validity after the certificate has expired.
Package 'X 9.0.0' from source 'C:\repro\source': Signature type: Author
Package 'X 9.0.0' from source 'C:\repro\source': Verifying the author primary signature with certificate:
  Subject Name: CN=NuGetTest-7bce06de-c693-441f-bed3-a6527d0ff019
  SHA1 hash: FE1EDCB45B98AE9977663D88C5CCEEE11E58FF4D
  SHA256 hash: 8C45915D4D809DD86034DD9A53F0CED1669853C5299663AB3290CE4AACF91B9D
  Issued by: CN=NuGetTest-7bce06de-c693-441f-bed3-a6527d0ff019
  Valid from: 5/31/2019 10:36:08 AM to 5/31/2019 11:36:08 AM

WARNING: NU3037: Package 'X 9.0.0' from source 'C:\repro\source': The author primary signature validity period has expired.
Installing X 9.0.0.
Package 'X 9.0.0' from source 'C:\repro\source': Signature Hash Algorithm: SHA256
NU3008: Package 'X 9.0.0' from source 'C:\repro\source': The package integrity check failed.
WARNING: NU3027: Package 'X 9.0.0' from source 'C:\repro\source': The signature should be timestamped to enable long-term signature validity after the certificate has expired.
Package 'X 9.0.0' from source 'C:\repro\source': Signature type: Author
Package 'X 9.0.0' from source 'C:\repro\source': Verifying the author primary signature with certificate:
  Subject Name: CN=NuGetTest-7bce06de-c693-441f-bed3-a6527d0ff019
  SHA1 hash: FE1EDCB45B98AE9977663D88C5CCEEE11E58FF4D
  SHA256 hash: 8C45915D4D809DD86034DD9A53F0CED1669853C5299663AB3290CE4AACF91B9D
  Issued by: CN=NuGetTest-7bce06de-c693-441f-bed3-a6527d0ff019
  Valid from: 5/31/2019 10:36:08 AM to 5/31/2019 11:36:08 AM

WARNING: NU3037: Package 'X 9.0.0' from source 'C:\repro\source': The author primary signature validity period has expired.
Committing restore...
Generating MSBuild file C:\repro\obj\project.csproj.nuget.g.props.
Writing assets file to disk. Path: C:\repro\obj\project.assets.json
Restore failed in 10.94 min for C:\repro\project.csproj.

Errors in C:\repro\project.csproj
    NU3008: Package 'X 9.0.0' from source 'C:\repro\source': The package integrity check failed.
    NU3008: Package 'X 9.0.0' from source 'C:\repro\source': The package integrity check failed.

NuGet Config files used:
    C:\repro\NuGet.Config
    C:\Users\dtivel\AppData\Roaming\NuGet\NuGet.Config
    C:\Program Files (x86)\NuGet\Config\Microsoft.VisualStudio.Offline.config

Feeds used:
    C:\repro\source

Installed:
    1 package(s) to C:\repro\project.csproj

Notes

  • Test Restore_TamperedPackage_FailsAsync started failing recently here for this reason. Tests Restore_PackageWithCompressedSignature_WarnAsError_FailsAndDoesNotExpandAsync and Restore_PackageWithCompressedSignature_RequireMode_FailsAndDoesNotExpandAsync also failed for this issue.
  • The output reports 1 package installed, which also seems incorrect.
@dtivel dtivel self-assigned this May 31, 2019
@dtivel dtivel mentioned this issue May 31, 2019
Closed
@dtivel dtivel changed the title Signing: attempting to install a tampered signed package performs multiple failed installs (with duplicate output) Restore: installing a tampered signed package results in multiple failed install attempts (with repeated output) May 31, 2019
@dtivel dtivel mentioned this issue May 31, 2019
Merged
@dtivel
Copy link
Contributor Author

dtivel commented May 31, 2019

The regression coincides with moving to the VS 2019 build agent pool after May 24th.

dtivel added a commit to NuGet/NuGet.Client that referenced this issue Jun 3, 2019
@dtivel
Restore: attempt each package installation only once (#2867)
af076b4 
Fix NuGet/Home#8175.
@dtivel dtivel added this to the 5.2 milestone Jun 7, 2019
@rrelyea
Copy link
Contributor

rrelyea commented Jul 11, 2019

looks like product bug fix, not test fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dtivel dtivel

Labels
Functionality:Restore Functionality:Signing Type:Bug
Projects
None yet
Milestone
5.2
2 participants
@rrelyea @dtivel