Manually port fix 50027 to the 10.0.1xx branch

src/Cli/dotnet/CliStrings.resx

@@ -838,4 +838,7 @@ The default is 'false.' However, when targeting .NET 7 or lower, the default is
   <data name="PackCmd_OneNuspecAllowed" xml:space="preserve">
     <value>Only one .nuspec file can be packed at a time</value>
   </data>
+  <data name="Error_NU1302_HttpSourceUsed" xml:space="preserve">
+    <value>You are running the 'tool install' operation with an 'HTTP' source: {0}. NuGet requires HTTPS sources. To use an HTTP source, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. Refer to https://aka.ms/nuget-https-everywhere for more information.</value>
+  </data>
 </root>

src/Cli/dotnet/Commands/Tool/Install/ToolInstallGlobalOrToolPathCommand.cs

@@ -96,7 +96,22 @@ public ToolInstallGlobalOrToolPathCommand(
             NoCache: parseResult.GetValue(ToolCommandRestorePassThroughOptions.NoCacheOption) || parseResult.GetValue(ToolCommandRestorePassThroughOptions.NoHttpCacheOption),
             IgnoreFailedSources: parseResult.GetValue(ToolCommandRestorePassThroughOptions.IgnoreFailedSourcesOption),
             Interactive: parseResult.GetValue(ToolCommandRestorePassThroughOptions.InteractiveRestoreOption));
-        nugetPackageDownloader ??= new NuGetPackageDownloader.NuGetPackageDownloader(tempDir, verboseLogger: new NullLogger(), restoreActionConfig: restoreActionConfig, verbosityOptions: _verbosity, verifySignatures: verifySignatures ?? true);
+        nugetPackageDownloader ??= new NuGetPackageDownloader.NuGetPackageDownloader(tempDir, verboseLogger: new NullLogger(), restoreActionConfig: restoreActionConfig, verbosityOptions: _verbosity, verifySignatures: verifySignatures ?? true, shouldUsePackageSourceMapping: true, currentWorkingDirectory: _currentWorkingDirectory);
+
+        // Perform HTTP source validation early to ensure compatibility with .NET 9 requirements
+        if (_packageId != null)
+        {
+            var packageSourceLocationForValidation = new PackageSourceLocation(
+                nugetConfig: GetConfigFile(),
+                additionalSourceFeeds: _addSource,
+                basePath: _currentWorkingDirectory);
+
+            if (nugetPackageDownloader is NuGetPackageDownloader.NuGetPackageDownloader concreteDownloader)
+            {
+                concreteDownloader.LoadNuGetSources((PackageId)_packageId, packageSourceLocationForValidation);
+            }
+        }
+
         _shellShimTemplateFinder = new ShellShimTemplateFinder(nugetPackageDownloader, tempDir, packageSourceLocation);
         _store = store;
 

src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs

@@ -4,9 +4,11 @@
 #nullable disable
 
 using System.Collections.Concurrent;
+using Microsoft.DotNet.Cli.Extensions;
 using Microsoft.DotNet.Cli.NugetPackageDownloader;
 using Microsoft.DotNet.Cli.ToolPackage;
 using Microsoft.DotNet.Cli.Utils;
+using Microsoft.DotNet.Cli.Utils.Extensions;
 using Microsoft.Extensions.EnvironmentAbstractions;
 using NuGet.Common;
 using NuGet.Configuration;
@@ -450,9 +452,21 @@ public IEnumerable<PackageSource> LoadNuGetSources(PackageId packageId, PackageS
             throw new NuGetPackageInstallerException("No NuGet sources are defined or enabled");
         }
 
+        CheckHttpSources(sources);
         return sources;
     }
 
+    private void CheckHttpSources(IEnumerable<PackageSource> packageSources)
+    {
+        foreach (var packageSource in packageSources)
+        {
+            if (packageSource.IsHttp && !packageSource.IsHttps && !packageSource.AllowInsecureConnections)
+            {
+                throw new NuGetPackageInstallerException(string.Format(CliStrings.Error_NU1302_HttpSourceUsed, packageSource.Source));
+            }
+        }
+    }
+
     private async Task<(PackageSource, IPackageSearchMetadata)> GetMatchingVersionInternalAsync(
         string packageIdentifier, IEnumerable<PackageSource> packageSources, VersionRange versionRange,
         CancellationToken cancellationToken)