Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing: log additional context when root is untrusted on Linux and macOS #5106

Merged
merged 3 commits into from
Apr 3, 2023
Merged

Signing: log additional context when root is untrusted on Linux and macOS #5106

merged 3 commits into from
Apr 3, 2023

Conversation

dtivel
Copy link
Contributor

@dtivel dtivel commented Mar 23, 2023

Bug

Fixes: NuGet/Home#12459

Regression? Last working version: No

Description

This change improves the signed package verification user experience on Linux and macOS when verification fails because a root certificate is untrusted. This change raises a new warning (NU3042) to accompany an existing NU3018/NU3028 warning. The new warning provides actionable information on how to resolve these warnings.

TODO: create the aka.ms link

CC @JonDouglas, @aortiz-msft

PR Checklist

@dtivel dtivel requested a review from a team as a code owner March 23, 2023 00:12
nkolev92
nkolev92 reviewed Mar 23, 2023
View reviewed changes
Copy link
Member

@nkolev92 nkolev92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good as far as my signing/verification expertise goes :D

One suggestion for the warning messag.e

src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/CertificateBundleX509ChainFactory.cs Outdated Show resolved Hide resolved
@kartheekp-ms kartheekp-ms force-pushed the dev-dtivel-verification-on-linux branch from d717fc0 to c0e482c Compare March 23, 2023 19:05
@kartheekp-ms
Copy link
Contributor

image

@dtivel - I cloned the repo to review the changes locally but didn't intend to push a commit to your pull request. I clicked on sync or something by mistake in Visual Studio instead of fetch in Git Window. The commits list has only 1 commit which you have authored. Everything is good AFAIK. Sorry for the inconvenience.

@dtivel dtivel force-pushed the dev-dtivel-verification-on-linux branch from c0e482c to 7c6440d Compare March 23, 2023 19:24
kartheekp-ms
kartheekp-ms previously approved these changes Mar 24, 2023
View reviewed changes
@jeffkl jeffkl self-requested a review March 28, 2023 17:23
@dtivel dtivel requested a review from kartheekp-ms April 3, 2023 17:25
@dtivel
Copy link
Contributor Author

dtivel commented Apr 3, 2023

@kartheekp-ms, can you please sign off again? I applied feedback from Nikolche, and that dismissed your approval.

@dtivel dtivel merged commit 5a54365 into dev Apr 3, 2023
@dtivel dtivel deleted the dev-dtivel-verification-on-linux branch April 3, 2023 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nkolev92 nkolev92 nkolev92 left review comments

@erdembayar erdembayar erdembayar approved these changes

@jeffkl jeffkl Awaiting requested review from jeffkl

@kartheekp-ms kartheekp-ms Awaiting requested review from kartheekp-ms

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Signing: raise actionable message on Linux if verification results in untrusted failure
4 participants
@dtivel @kartheekp-ms @nkolev92 @erdembayar