Nuget Package Not Signed #3393
Comments
|
We would need a code-signing (Authenticode) certificate to do this. If we sign the NuGet package, we should sign our binaries too. The certificate must be stored securely, accessible to a trusted server which does the signing and which cannot be tricked into signing builds of code that we have not reviewed. If anyone can effectively sign using the certificate, it's worse than having no signature because we are vouching for the signed binary with our name. I set up our CI at my day job to sign my company's binaries, NuGet packages, and WiX installers, but I'm not familiar with the subtleties of managing a code-signing certificate in open-source projects. This is something that the .NET Foundation helps its member projects with. @rprouse, should we get in contact with someone there? |
|
This dovetails nicely with the plan to only release packages that are built from our CI/CD pipeline rather than me building and testing locally on my machine. Ideally, the Azure DevOps builds will sign any builds of the release branch and we can release directly from there with a release pipeline. I've reached out to the .NET Foundation for information on getting a signing certificate and guidance on maintaining it. |
|
Oren Novotny is still handling signing certificates for the .NET Foundation. I'll reach out to him. For reference, the Cake team uses Oren's signtool in their cake scripts, https://github.com/cake-build/cake/blob/9edba942fa2e9c0db16f3035ffb96db19e03561b/build.cake#L378-L430 |
|
Oren's signing tool uses the .NET Foundation's signing service, so we just need to get setup on that, https://github.com/dotnet/SignService |
|
I'd be keen to sort this for the NUnit Console packages too - thanks for raising this @de10101! |
|
It looks like NUnit NuGet package is only signed by repository, but not by the author's code signing certificate. Would it be possible to implement the signing using .Net foundation certificate?
and from
|
|
@olegd-superoffice given nunit is never deployed to production, and only running on developers machines, what is the use case for code signing? |
|
@SimonCropp it is also running on build servers and I saw people using it to run smoke tests in production environments. |
|
@olegd-superoffice so you only allow code signed packages to be used? |
|
@SimonCropp Yes, trying to implement trust policy as described here: https://devblogs.microsoft.com/nuget/lock-down-your-dependencies-using-configurable-trust-policies/ |
|
@olegd-superoffice that must be challenging. the majority of packages I consume are not code signed |
|
@SimonCropp It is getting much better lately. All Google, Microsoft, Azure packages are signed, Json.Net and IdentityModel as well. And open source projects started catching up due to signing service provided by .Net foundation - XUnit, Portable.BouncyCastle, Humanizer, Coverlet etc. |
Nuget.org supports signing of packages to confirm the authorship.
https://docs.microsoft.com/en-us/nuget/reference/signed-packages-reference
The current release on nuget.org (3.12.0) is not signed with the Repository signature. This would be nice as an additional proof of source.
The text was updated successfully, but these errors were encountered: