Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotnet tool update skips NuGet package signature verification #37469

Open
demcgovern opened this issue Dec 12, 2023 · 7 comments
Open

dotnet tool update skips NuGet package signature verification #37469

demcgovern opened this issue Dec 12, 2023 · 7 comments
Labels
Area-Tools
Milestone
8.0.4xx

Comments

@demcgovern
Copy link

Describe the bug

dotnet tool update skips NuGet package signature verification.

To Reproduce

$ dotnet tool update <PACKAGE_ID> --global

Example:

$ dotnet tool update dotnet-ef --global --verbosity detailed
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/index.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/index.json 825ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/0.0.1-alpha/3.1.28.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/0.0.1-alpha/3.1.28.json 97ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/3.1.29/6.0.23.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/3.1.29/6.0.23.json 94ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/6.0.24/8.0.0.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/6.0.24/8.0.0.json 90ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/index.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/index.json 93ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/0.0.1-alpha/3.1.28.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/0.0.1-alpha/3.1.28.json 99ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/3.1.29/6.0.23.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/3.1.29/6.0.23.json 98ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/6.0.24/8.0.0.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-ef/page/6.0.24/8.0.0.json 107ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3-flatcontainer/dotnet-ef/index.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3-flatcontainer/dotnet-ef/index.json 99ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3-flatcontainer/dotnet-ef/8.0.0/dotnet-ef.8.0.0.nupkg
[NuGet Manager] [Info]   OK https://api.nuget.org/v3-flatcontainer/dotnet-ef/8.0.0/dotnet-ef.8.0.0.nupkg 54ms
Skipping NuGet package signature verification.
Tool 'dotnet-ef' was reinstalled with the latest stable version (version '8.0.0').

Further technical details

.NET SDK:
 Version:           8.0.100
 Commit:            57efcf1350
 Workload version:  8.0.100-manifests.8d38d0cc

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19045
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\8.0.100\

.NET workloads installed:
 Workload version: 8.0.100-manifests.8d38d0cc
There are no installed workloads to display.

Host:
  Version:      8.0.0
  Architecture: x64
  Commit:       5535e31a71

.NET SDKs installed:
  7.0.203 [C:\Program Files\dotnet\sdk]
  7.0.310 [C:\Program Files\dotnet\sdk]
  7.0.404 [C:\Program Files\dotnet\sdk]
  8.0.100 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 6.0.25 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.25 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.25 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.13 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.14 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
  x86   [C:\Program Files (x86)\dotnet]
    registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
  Not set

global.json file:
  Not found

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download
@dotnet-issue-labeler dotnet-issue-labeler bot added Area-NuGet untriaged Request triage from a team member labels Dec 12, 2023
@ghost
Copy link

ghost commented Dec 12, 2023

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

@ghost ghost closed this as completed Dec 12, 2023
@baronfel baronfel reopened this Dec 12, 2023
@baronfel
Copy link
Member

Reopening - we need to make sure the ToolInstaller classes use any prior NuGet configuration for signature validation.

@JL03-Yue JL03-Yue removed the untriaged Request triage from a team member label Feb 13, 2024
@aslan-im
Copy link

any updates?

@VAllens
Copy link

VAllens commented Feb 19, 2024
edited

any updates?

image

PS C:\Users\Administrator> dotnet tool install dotnet-dump --global
Skipping NuGet package signature verification.
PS C:\Users\Administrator> 
PS C:\Users\Administrator> dotnet tool install dotnet-dump --global --verbosity detailed
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-dump/index.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-dump/index.json 958ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3/registration5-gz-semver2/dotnet-dump/index.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3/registration5-gz-semver2/dotnet-dump/index.json 221ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3-flatcontainer/dotnet-dump/index.json
[NuGet Manager] [Info]   OK https://api.nuget.org/v3-flatcontainer/dotnet-dump/index.json 824ms
[NuGet Manager] [Info]   GET https://api.nuget.org/v3-flatcontainer/dotnet-dump/8.0.510501/dotnet-dump.8.0.510501.nupkg
[NuGet Manager] [Info]   OK https://api.nuget.org/v3-flatcontainer/dotnet-dump/8.0.510501/dotnet-dump.8.0.510501.nupkg 20ms
Skipping NuGet package signature verification.
Tool 'dotnet-dump' was reinstalled with the stable version (version '8.0.510501').
PS C:\Users\Administrator> 
PS C:\Users\Administrator> dotnet --info
.NET SDK:
 Version:           8.0.201
 Commit:            4c2d78f037
 Workload version:  8.0.200-manifests.e575128c

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.22631
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\8.0.201\

.NET workloads installed:
 [macos]
   Installation Source: VS 17.9.34607.119
   Manifest Version:    14.2.8004/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.macos\14.2.8004\WorkloadManifest.json
   Install Type:        FileBased

 [maui-windows]
   Installation Source: VS 17.9.34607.119
   Manifest Version:    8.0.6/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.maui\8.0.6\WorkloadManifest.json
   Install Type:        FileBased

 [maccatalyst]
   Installation Source: VS 17.9.34607.119
   Manifest Version:    17.2.8004/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.maccatalyst\17.2.8004\WorkloadManifest.json
   Install Type:        FileBased

 [ios]
   Installation Source: VS 17.9.34607.119
   Manifest Version:    17.2.8004/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.ios\17.2.8004\WorkloadManifest.json
   Install Type:        FileBased

 [android]
   Installation Source: VS 17.9.34607.119
   Manifest Version:    34.0.52/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.android\34.0.52\WorkloadManifest.json
   Install Type:        FileBased

 [wasm-tools]
   Installation Source: VS 17.9.34607.119
   Manifest Version:    8.0.2/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.current\8.0.2\WorkloadManifest.json
   Install Type:        FileBased


Host:
  Version:      8.0.2
  Architecture: x64
  Commit:       1381d5ebd2

.NET SDKs installed:
  5.0.408 [C:\Program Files\dotnet\sdk]
  6.0.419 [C:\Program Files\dotnet\sdk]
  7.0.406 [C:\Program Files\dotnet\sdk]
  8.0.200 [C:\Program Files\dotnet\sdk]
  8.0.201 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.All 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.32 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 6.0.27 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.16 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.32 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.27 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.1.32 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 6.0.27 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.16 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
  x86   [C:\Program Files (x86)\dotnet]
    registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
  DOTNET_ROOT       [C:\Program Files\dotnet]

global.json file:
  Not found

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

@peymanr34
Copy link

peymanr34 commented Feb 24, 2024
edited

Also: When the --verbosity detailed switch is not present, it doesn't report the installation result which I found very confusing.

image

I had no way of knowing that the tool was installed or not.

@baronfel baronfel added this to the 8.0.3xx milestone Feb 25, 2024
@JL03-Yue
Copy link
Member

Thanks for reporting. I believe the change was introduced from #37311 and NuGet package signature verification should be added. I'm looking into this.

@JL03-Yue JL03-Yue mentioned this issue Mar 6, 2024
Open
@JL03-Yue JL03-Yue modified the milestones: 8.0.3xx, 8.0.4xx Apr 4, 2024
@JL03-Yue JL03-Yue removed their assignment Apr 19, 2024
@antonio-fr
Copy link

Any update? This is kind of critical, and the fix stalled for 2 months, skipping the planned milestones.

@dtivel dtivel mentioned this issue May 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Tools
Projects
None yet
Milestone
8.0.4xx
Development

No branches or pull requests
7 participants
@baronfel @VAllens @aslan-im @antonio-fr @demcgovern @peymanr34 @JL03-Yue