Code Signing Certificate Request: Silk.NET

[Perksey]

Follow up from #115:

Please fill in the information below

• Project Name: Silk.NET
• LastPass Email (or send offline): dylan@ultz.co.uk (note: currently not setup with LastPass)

Certificate onboarding checklist:

• Register trade name @ChrisSfanos
• Create configuration in Code Signing Service
• Create organization with DigiCert
• Request certificate from DigiCert
• Received certificate and finalize sign service configuration
• Provide credentials in shared folder in LastPass

[ChrisSfanos]

Trade name registration submitted this morning

[clairernovotny]

Hi @Perksey Sorry for the long delay. There were some hiccups with DigiCert due to some baseline requirements changing. We have the certificate up and configured. Can you please set up with LastPass and I can share the credentials with you?

[Perksey]

No worries! LastPass account created, let me know if you need me to do anything else.

[clairernovotny]

Just shared the folder with the credentials.

There's a sample pipeline here: https://github.com/novotnyllc/CodeSigningDemo

[Perksey]

Brill, thanks!

[clairernovotny]

Once you have your Pipeline configured, please add dotnetfoundation as a co-owner to any NuGet packages. The certificate will be recognized by NuGet then.

[Perksey]

Hi Claire,

Is there any way to achieve this without adding dotnetfoundation as an owner?

Currently we use an organisation API key to push our packages which has rights to use our reserved prefix, and there's no NuGet REST API to add an owner to a package programmatically. Given that our library sources are mostly generated (monthly), it would mean that we'd have to manually go through our packages (in case the generator has created new ones) and add the org as an owner - something that could be time consuming given it can't be automated.

Could we add the certificate to our own organisation, and perhaps add a .NET Foundation account as one of the owners of the Silk.NET organisation? Another option would be contacting NuGet support to add dotnetfoundation as an organisation permitted to use our prefix, and then using a dotnetfoundation API key to push our packages. Still some manual package owner modification involved, but only once.

[Perksey]

Will reopen until the above is resolved.

[clairernovotny]

The foundation requires co-ownership in NuGet regardless. Once a package has dotnetfoundation as a co-owner, subsequent updates are automatically carried forward, so that shouldn't be too bad?

[Perksey]

More than happy with the foundation having ownership of the packages, but from a practicality standpoint we have 163 NuGet packages so any ownership modification would ideally be at the organisation level (i.e. giving a foundation-owned account ownership of the Silk.NET organisation)

Given that NuGet has no public API endpoints for modifying package ownership, any individual package-level ownership modifications would take a very long time given we have 163 of them!

I'm fine with having to update the certificate on our organisation too (less seamless of course) but I understand that the foundation needs ownership for administration purposes as well. Is there an equivalent of the dnfadmin GitHub account for NuGet i.e. an individual non-organisation account we can grant ownership of the organisation to?

[clairernovotny]

I agree that 163 packages is a lot, and it's equally painful on the accepting side.... I can start an email thread with the NuGet team to see what they can do.

We don't have individual accounts like that as that's generally an anti-pattern and not the best for security. We do need ownership for admin and project continuity purposes as well, though it'd be extreme circumstances that we'd expect to need it.

[Perksey]

That'd be great, thanks!

[clairernovotny]

As a short term workaround (as per the email thread), you can save the cert as a DER-encoded .cer file and then register that on the account you're currently using. That'll let you publish the signed packages.

[Perksey]

Will keep this issue open until we do manage to get the package ownership transferred, but will use that workaround in the meantime. Thanks!

[clairernovotny]

Hi, @Perksey I know it took much longer than expected to address the package ownership issues on NuGet. Now that it's resolved, how is this coming; are you all set here, can we close this issue?

[Perksey]

Yep, now that’s solved this can be closed off - forgot to update this issue, sorry!

Thanks for all of your help :)