dotnet nuget verify doesn't seem to match the checks run on nuget.org

[dylrich]

NuGet Product Used

NuGet.exe

Product Version

8.0.105

Worked before?

No response

Impact

It bothers me. A fix would be nice

Repro Steps & Context

I was attempting to use an alternative nuget signing implementation from jsign when I ran into an issue uploading my nuget package to nuget.org that did not appear when I ran dotnet nuget verify ./mypackage.nupkg. As a user I would expect that if my package passes the checks in verify and my publish operation succeeds, my package should be well-formed and I should not receive a validation error later on from nuget.org. In order to prevent future bugs like ebourg/jsign#234, could the logic used for validation between nuget.org and dotnet nuget verify be kept in sync?

Verbose Logs

No response

[nkolev92]

Related: #8875

[nkolev92]

could the logic used for validation between nuget.org and dotnet nuget verify be kept in sync

dotnet nuget verify currently only does signature verification. It does not have any context about a package being potentially published to nuget.org.
We wouldn't want to add noise to package authors that are never going to need to meet the nuget.org requirements.

[dylrich]

What do you think about creating some other tooling that checks for compliance with nuget.org requirements? It is a bit frustrating as a package author to have nuget.org reject your package after accepting the package initially, with no way to run the same checks it is running yourself.

[nkolev92]

What do you think about creating some other tooling that checks for compliance with nuget.org requirements

I think that could work as well. I wasn't able to find duplicates on the NuGetGallery side or in #8875 in particular, but this has been a consideration in the past.

There have also been other approaches toward solving this problem such as #12874.
Note that the spec is merged and accepted, but not actively being worked on yet.