Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allowUntrustedRoot not respected on Linux #9942

Closed
rido-min opened this issue Aug 25, 2020 · 1 comment
Closed

allowUntrustedRoot not respected on Linux #9942

rido-min opened this issue Aug 25, 2020 · 1 comment
Assignees
@heng-liu
Labels
Functionality:Signing Platform:Xplat

Comments

@rido-min
Copy link

I'm validating a package signed with a self-signed-certificate that is trusted in nuget.config with allowUntrustedRoot=true

I can add/restore with dotnet on Windows, but in Linux it fails with

The author primary signature found a chain building issue: PartialChain: unable to get local issuer certificate
``` dotnet add package System.Rido -v 1.0.8-pre Determining projects to restore... Writing /tmp/tmpn6Jdws.tmp info : Adding PackageReference for package 'System.Rido' into project '/home/rido/code/secure-packages-demo/MyConsoleApp/MyConsoleApp.csproj'. info : Restoring packages for /home/rido/code/secure-packages-demo/MyConsoleApp/MyConsoleApp.csproj... info : CACHE https://api.nuget.org/v3-flatcontainer/microsoft.aspnetcore.app.ref/index.json info : CACHE https://api.nuget.org/v3-flatcontainer/microsoft.netcore.app.ref/index.json info : Installing Microsoft.NETCore.App.Ref 3.0.0. info : CACHE https://api.nuget.org/v3-flatcontainer/microsoft.netcore.app.ref/3.0.0/microsoft.netcore.app.ref.3.0.0.nupkg info : Installing Microsoft.AspNetCore.App.Ref 3.0.1. info : CACHE https://api.nuget.org/v3-flatcontainer/microsoft.aspnetcore.app.ref/3.0.1/microsoft.aspnetcore.app.ref.3.0.1.nupkg info : Installing System.Rido 1.0.8-pre. info : Package 'System.Rido 1.0.8-pre' from source '/home/rido/code/secure-packages-demo/_pkgs': Signature Hash Algorithm: SHA256 info : Package 'System.Rido 1.0.8-pre' from source '/home/rido/code/secure-packages-demo/_pkgs': Timestamp: 03/10/2019 23:25:34 info : Package 'System.Rido 1.0.8-pre' from source '/home/rido/code/secure-packages-demo/_pkgs': Verifying author primary signature's timestamp with timestamping service certificate: info : Subject Name: CN=DigiCert SHA2 Timestamp Responder, O=DigiCert, C=US info : SHA1 hash: 400191475C98891DEBA104AF47091B5EB6D4CBCB info : SHA256 hash: FC834D5BFFDE31DBA5B79BF95F573F7953BCBF9156E8525163E828EB92EA8A93 info : Issued by: CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US info : Valid from: 01/03/2017 16:00:00 to 01/17/2028 16:00:00 info : Package 'System.Rido 1.0.8-pre' from source '/home/rido/code/secure-packages-demo/_pkgs': Signature type: Author info : Package 'System.Rido 1.0.8-pre' from source '/home/rido/code/secure-packages-demo/_pkgs': Verifying the author primary signature with certificate: info : Subject Name: CN=Ringo, OU=Beatles info : SHA1 hash: F275ADE1D47A0419AC8B5F93D41932E8C3FE8B97 info : SHA256 hash: F6B6EF6F6A9C60BC4B0A181A140C8CF1BA849B30C500FDD44F77A4C1672904B3 info : Issued by: CN=Ringo, OU=Beatles info : Valid from: 02/13/2019 14:55:24 to 02/13/2020 15:15:24 error: Package 'System.Rido 1.0.8-pre' from source '/home/rido/code/secure-packages-demo/_pkgs': The author primary signature found a chain building issue: PartialChain: unable to get local issuer certificate info : Package 'System.Rido' is compatible with all the specified frameworks in project '/home/rido/code/secure-packages-demo/MyConsoleApp/MyConsoleApp.csproj'. error: Value cannot be null. (Parameter 'path1') ```

Repro Steps

  1. Download this package to a local folder https://raw.githubusercontent.com/ridomin/secure-packages-demo/master/_pkgs/System.Rido.1.0.8-pre.nupkg
  2. dotnet new console -o myConsole
  3. add a nuget.config to configure signing, local package source and trusted signers (see below)
  4. dotnet add package System.Rido -v 1.0.8-pre

Expected. The package is installed (same behavior as in Windows)
Observed. The error above

Sample NuGet.Config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <packageSources>
    <clear />
    <add key="nuget" value="https://api.nuget.org/v3/index.json" />
   <add key="_pkgs" value="./_pkgs" />
 </packageSources>
  <config>
    <add key="signatureValidationMode" value="require" />
    <add key="globalPackagesFolder" value="~/.nuget/TrustedPackages" />
  </config>
  <trustedSigners>
    <author name="Ringo">
      <certificate fingerprint="F6B6EF6F6A9C60BC4B0A181A140C8CF1BA849B30C500FDD44F77A4C1672904B3"
                    hashAlgorithm="SHA256" allowUntrustedRoot="true" />
    </author>
  </trustedSigners>
</configuration>
@heng-liu heng-liu self-assigned this Aug 25, 2020
@heng-liu
Copy link
Contributor

This is not an issue.
The self-signed certificate will not be trusted unless the X509KeyUsageFlags.CrlSign and X509KeyUsageFlags.KeyCertSign are set, for Linux only.
Pls refer to #8841

Pls generate the self-signed certificate by running latest TestCertGenerator\CreateTestCertificate.ps1 from https://github.com/NuGet/Entropy
(The change is in PR NuGet/Entropy#37)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@heng-liu heng-liu

Labels
Functionality:Signing Platform:Xplat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rido-min @heng-liu