[Client policy] An error NU3018 “The author primary signature's signing certificate is not trusted by the trust provider” occurs when Install package with trusted signers and package with untrusted root

[CiciLi1]

NuGet Product Used

NuGet.exe

Product Version

NuGet Client Dev\6.9.0.67

Worked before?

It worked in nuget client Dev\6.8.0.101 since we used the "CreateTestCertificate.ps1" file to create certificate but we use "MakeTestCert.csproj" this time.

Impact

It's more difficult to complete my work

Repro Steps & Context

Repro Steps:    

1.Patch dotnet SDK: Patch dotnet SDK
2.Add NuGet.exe path into System variables and create a package with command "nuget pack .csproj" for testing.  

3.Go to the patchedSDK folder and create a new test certificate:

.\dotnet run --project .\Entropy\MakeTestCert\MakeTestCert.csproj --framework net7.0

4.Sign a package:  NuGet.exe sign <PackageFilePath> -CertificatePath <PfxFilePath>

5.Create a project in VS and add required mode in nuget.config file with trusted signers list: (the SHA256 fingerprint is the one in step3)

   <config> 
     <add key="signatureValidationMode" value="require" /> 
   </config> 
   <trustedSigners> 
     <author name="JamieZhang">        
         <certificate fingerprint="AAAAA" hashAlgorithm="SHA256" allowUntrustedRoot="true" /> 
     </author> 
    </trustedSigners> 

6. Reload the solution in VS, update the package source to the signed package path above (in step4) and install the package into the project in PM UI.

Expected:    

The signed package was successfully installed into the project without any error.

Actual:       

The package failed to install with error NU3018 “The author primary signature's signing certificate is not trusted by the trust provider” as below:

Notes:   

1.The repro rate is 100%. 
2.It also reproes VS 17.8 (D17.8\34309.116 with implicit NuGet 6.8.0.131).

Verbose Logs

No response

[martinrrm]

I wasn't able to reproduce this in my local machine, VS version Version 17.9.0 Preview 1.0 and I didn't patched SDK, using 8.0.200-preview.23624.5

[CiciLi1]

Hi @martinrrm,I verified this issue with the unpatched SDK using 8.0.200-preview.23620.12, this issue can also be reproduced as below:

[nkolev92]

Team Triage: Hey @dtivel, would you mind taking a look at this issue, and help us understand whether there's a test setup issue or a product issue.

Thanks!

[dtivel]

@CiciLi1, you said that previously this test passed when you used CreateTestCertificate.ps1. Can you please provide the exact statement you used for CreateTestCertificate.ps1 --- all arguments. In particular, did you use -AddAsTrustedRootAuthority?

[CiciLi1]

@CiciLi1, you said that previously this test passed when you used CreateTestCertificate.ps1. Can you please provide the exact statement you used for CreateTestCertificate.ps1 --- all arguments. In particular, did you use -AddAsTrustedRootAuthority?

Hi @dtivel, we previously used the exact statement in the nuget client Dev\6.8.0.101 with the statement `. \CreateTestCertificate.ps1" and did not use "-AddAsTrustedRootAuthority".

[dtivel]

@CiciLi1, I'm going to guess that you're copying the SHA-256 fingerprint output by MakeTestCert into your nuget.config file and it fails. However, if you upper-case the fingerprint in nuget.config, it should succeed.

Please confirm.

[dtivel]

@CiciLi1, if it helps, Visual Studio has a command which can take the selected text and make it upper case.

[CiciLi1]

@CiciLi1, I'm going to guess that you're copying the SHA-256 fingerprint output by MakeTestCert into your nuget.config file and it fails. However, if you upper-case the fingerprint in nuget.config, it should succeed.

Please confirm.

Hi @dtivel, the case work well when the fingerprint is upper-case in the nuget.config file, I will close this issue. Thanks for your help.