Verify Signatures of Downloaded Content in DNUP #51093
Description
We met with the Microsoft Crypto Review Board and got approval on several signing solutions.
We also wrote a proposal to sign the release-index.json, the sub-versioned manifests included within releases-index.json, and the archives of .NET (.zip and .tar.gz files.) DNUP should verify the signatures of all content it downloads before extracting them into a working / production directory. The logic may end up residing within the DotnetRelease library, at least for manifest signature validation, since that library exists as a wrapper around the manifests.
The signatures are tentatively available by adding .sig as a suffix to the end of the url for both the manifests and archives.
Note : For nightly builds, there is no manifest. This is why we must be able to verify the archives. We don't actually need to verify the archives if we verify the manifest signature and then the hash of the archive to save performance in the standard implementation.
Currently, neither of these are signed. We are driving some of the effort for the signatures but likely not implementing that part ourselves. For details on how to implement the signature verifications, please reach out to me or our working security group.