Register package signing certificates on NuGet.org

[anangaur]

As part of submitting signed packages, package authors on NuGet.org would need to register these certificates on NuGet.org.

The spec for this feature can be found here: NuGet/Home/wiki/Register-package-signing-certificates

[clairernovotny]

The section that talks about deleting a registered certificate where there's already packages uploaded using it is unclear.

What if I, as a package author, want to prevent new packages from being uploaded with a particular certificate? It's not clear how I can disable any further uploads with a particular certificate.

[anangaur]

@onovotny Thanks for the feedback. Added a section to explain the revoked/expired cert cases and clarified the 'delete certificates' section a bit more. Do let me know if more clarity is required.

What happens when a certificate expires or is revoked?

• New packages signed with the expired/revoked certificates will not be published i.e. the push/upload/update actions would fail.

Deleting/Removing registered certificates

One may want to remove an existing registered certificate if he/she gets another certificate that he/she intends to use for package signing. In such a case, the new certificate would need to be registered using the flow discussed above. Additionally the author may want to remove the certificate he/she does not want to use any longer:

• A registered certificate can be safely removed by clicking on the delete button if there were no packages uploaded to NuGet.org signed with that certificate. The row for the registered certificate will no longer be shown.
• If there were one or more packages pushed to NuGet.org, delete action will disable the row that shows the registered certificate but should not remove the row altogether.
  
• In both these delete cases, the packages signed with these deleted certificates cannot be published to NuGet.org i.e. the push/upload/update actions will fail.

[clairernovotny]

Thanks. What has happens if the user made some mistake in deleteing the cert? Can they re-enable it? Sent from a mobile device, please excuse brevity and typos

…

________________________________ From: Anand Gaurav <notifications@github.com> Sent: Wednesday, January 24, 2018 8:15:15 PM To: NuGet/NuGetGallery Cc: Oren Novotny; Mention Subject: Re: [NuGet/NuGetGallery] Register package signing certificates on NuGet.org (#5346) @onovotny<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fonovotny&data=02%7C01%7Coren%40novotny.org%7C05c31f1afa594ba8452008d563911858%7C71048637378241a3b6b26f4ac8a25ae0%7C0%7C0%7C636524397208491621&sdata=mRutbSwJWnviYnTM%2BFMFdVOQADZcHcDhW2RozygxEOU%3D&reserved=0> Thanks for the feedback. Added a section<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNuGet%2FHome%2Fwiki%2FRegister-package-signing-certificates%23what-happens-when-a-certificate-expires-or-is-revoked&data=02%7C01%7Coren%40novotny.org%7C05c31f1afa594ba8452008d563911858%7C71048637378241a3b6b26f4ac8a25ae0%7C0%7C0%7C636524397208491621&sdata=YTvZnLvrqA9%2Fu5wp%2F2RQovqihkVZv40IPY9z%2F3mK%2FHQ%3D&reserved=0> to explain the revoked/expired cert cases and clarified the 'delete certificates' section a bit more. Do let me know if more clarity is required. What happens when a certificate expires or is revoked? * New packages signed with the expired/revoked certificates will not be published i.e. the push/upload/update actions would fail. Deleting/Removing registered certificates One may want to remove an existing registered certificate if he/she gets another certificate that he/she intends to use for package signing. In such a case, the new certificate would need to be registered using the flow discussed above. Additionally the author may want to remove the certificate he/she does not want to use any longer: * A registered certificate can be safely removed by clicking on the delete button if there were no packages uploaded to NuGet.org signed with that certificate. The row for the registered certificate will no longer be shown. * If there were one or more packages pushed to NuGet.org, delete action will disable the row that shows the registered certificate but should not remove the row altogether. [image]<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F14800916%2F35362656-0f7add10-011b-11e8-94cd-6ee0cc6a46d6.png&data=02%7C01%7Coren%40novotny.org%7C05c31f1afa594ba8452008d563911858%7C71048637378241a3b6b26f4ac8a25ae0%7C0%7C0%7C636524397208491621&sdata=Hg8%2Byn4HFQFT9ikzZTFNPPBoOPjh5gHdoAVdfguP7V0%3D&reserved=0> * In both these delete cases, the packages signed with these deleted certificates cannot be published to NuGet.org i.e. the push/upload/update actions will fail. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNuGet%2FNuGetGallery%2Fissues%2F5346%23issuecomment-360328863&data=02%7C01%7Coren%40novotny.org%7C05c31f1afa594ba8452008d563911858%7C71048637378241a3b6b26f4ac8a25ae0%7C0%7C0%7C636524397208491621&sdata=kel%2FVsJ5WM%2FfJSvTAPqY%2FOd68pYMtsoyyTby0PzprnE%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABXHVCJFH99_g5ovu8nS3b9pWsnAR5fjks5tN9WjgaJpZM4RsEkW&data=02%7C01%7Coren%40novotny.org%7C05c31f1afa594ba8452008d563911858%7C71048637378241a3b6b26f4ac8a25ae0%7C0%7C0%7C636524397208491621&sdata=0ou%2FkoMRGW2xjZykabZrzgv%2Bnzz0HcSGoh8ry1pguCk%3D&reserved=0>.

[maartenba]

Package owner's can manage certificate requirements for their packages. That's great, but imagine this:

• UserA or OrgA owns 100 packages
• UserMe is co-owner, as I have to upload these packages as part of my job
• UserMe updates all cert requirements to none or to a certificate owned by UserMe
• UserA / OrgA drops UserMe as an owner

What happens when I get removed as co-owner? Does my cert still apply to the packages/upload? Can UserX ever upload another package if I get removed as an owner but the package requires my cert?

Additionally if UserMe can temporarily set the certificate requirement to none, UserMe could upload an unsigned package and then switch it all back to normal. Signature validation will of course fail downstream for that package, but what if the downstream has that disabled.

All in all like the spec!

[anangaur]

What has happens if the user made some mistake in deleteing the cert? Can they re-enable it?

@onovotny , re-uploading the same cert should re-enable the registration. Updated the spec. Thanks!

[anangaur]

@maartenba the cert requirement is pinned on account(s) uploading it. So today you may have no certificate and hence you can upload unsigned packages. Tomorrow you can register CertA and you now would need to submit packages signed by CertA. Day after, you may choose to remove CertA and upload a new CertB or no cert at all. Depending upon which certs are registered in the context of the package in the owner(s)' account(s), package must be signed with corresponding cert(s).

What happens when I get removed as co-owner? Does my cert still apply to the packages/upload? Can UserX ever upload another package if I get removed as an owner but the package requires my cert?

If you are removed as co-owner, the cert requirements for packages apply for the current owners i.e. UserX can upload the package unsigned (if no certs are registered) or with CertX (the cert registered by UserX).

Additionally if UserMe can temporarily set the certificate requirement to none, UserMe could upload an unsigned package and then switch it all back to normal. Signature validation will of course fail downstream for that package, but what if the downstream has that disabled.

UserMe can set to none only if one of the co-owners does not have any registered cert. If all the owners have certs registered, default option is "Any of the certs" registered by "Any of the Owners". It can be changed to either UserMe's certs or User2's cert or any other Owner's cert.

[anangaur]

All in all like the spec!

@maartenba Thanks :)

[anangaur]

@maartenba I also feel that if the cert changes between the package updates, this should be adequately handled through warnings during upload/push and during consumption.
/cc: @rido-min

[maartenba]

Ok makes sense!