Signing: update to August 2022 CTL #4791
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dtivel
force-pushed
the
dev-dtivel-truststore
branch
from
7970845
to
75cda75
Compare
jeffkl
reviewed
Sep 13, 2022
src/NuGet.Core/NuGet.Packaging/Signing/Utility/X509ChainHolder.cs
Outdated
Show resolved
Hide resolved
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/FallbackCertificateBundleX509ChainFactory.cs
Show resolved
Hide resolved
dtivel
force-pushed
the
dev-dtivel-truststore
branch
from
75cda75
to
e1d95e6
Compare
nkolev92
reviewed
Sep 13, 2022
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/X509StorePurpose.cs
Outdated
Show resolved
Hide resolved
nkolev92
previously approved these changes
Sep 15, 2022
jeffkl
previously approved these changes
Sep 15, 2022
nkolev92
previously approved these changes
Sep 19, 2022
ghost
added
the
Status:No recent activity
|
This PR has been automatically marked as stale because it has no activity for 7 days. It will be closed if no further activity occurs within another 7 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
1 similar comment
|
This PR has been automatically marked as stale because it has no activity for 7 days. It will be closed if no further activity occurs within another 7 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
dtivel
force-pushed
the
dev-dtivel-truststore
branch
from
c99258c
to
3965112
Compare
ghost
removed
the
Status:No recent activity
dtivel
commented
Oct 11, 2022
| & powershell $DotNetInstall -Channel $cli.Channel -Quality signed -InstallDir $cli.Root -Version $cli.Version -Architecture $arch -NoPath | ||
| Trace-Log "$DotNetInstall -Channel $($cli.Channel) -InstallDir $($cli.Root) -Version $($cli.Version) -Architecture $arch -NoPath" | ||
|
|
||
| & powershell $DotNetInstall -Channel $cli.Channel -InstallDir $cli.Root -Version $cli.Version -Architecture $arch -NoPath |
There was a problem hiding this comment.
I removed the Quality argument here and in scripts/funcTests/runFuncTests.sh. Documentation says:
Don't use both version and quality parameters. When quality is specified, the script determines the proper version on its own.
[
Qualityis] Not applicable for current and LTS channels and will be ignored if one of those channels is used.
For some time, we have only effectively used Channel and Version.
dtivel
commented
Oct 11, 2022
| @@ -332,6 +332,7 @@ public void PackCommand_PackToolUsingAlias_DoesNotWarnAboutNoExactMatchInDepende | |||
| tfmProps["TargetFrameworkIdentifier"] = ".NETCoreApp"; | |||
| tfmProps["TargetFrameworkVersion"] = "v3.1"; | |||
| tfmProps["TargetFrameworkMoniker"] = ".NETCoreApp,Version=v3.1"; | |||
| tfmProps["RuntimeFrameworkVersion"] = "6.0"; | |||
dtivel
commented
Oct 11, 2022
| @@ -1485,7 +1488,7 @@ public void PackCommand_PackProject_PacksFromNuspec_InstallPackageToOutputPath() | |||
| } | |||
| } | |||
|
|
|||
| [PlatformTheory(Platform.Windows)] | |||
| [PlatformTheory(Platform.Windows, Skip = "https://github.com/dotnet/sdk/issues/28131")] | |||
jeffkl
approved these changes
Oct 11, 2022
nkolev92
approved these changes
Oct 11, 2022
zivkan
approved these changes
Oct 11, 2022
kartheekp-ms
pushed a commit
that referenced
this pull request
Oct 12, 2022
nkolev92
pushed a commit
that referenced
this pull request
Oct 12, 2022
Resolve NuGet/Home#12033. Co-authored-by: Damon Tivel <dtivel@microsoft.com>
AdmiringWorm
added a commit
to chocolatey/NuGet.Client
that referenced
this pull request
Dec 19, 2022
Insert 6.4.0-rc.123 into rel/d17.4 on 11/07/2022 23:47:12 * tag '6.4.0.123': (60 commits) fix a logic error that caused AbandonedMutexException while executing migrations (release-6.4.x) (NuGet#4895) unblock source build failing due to fatal: transport 'file' not allowed error (NuGet#4867) (NuGet#4874) Signing: update to August 2022 CTL (NuGet#4791) (NuGet#4850) Merged PR 422933: Prefer BCL Directory create API over helper class (7.0.1xx-rc2) Fix empty combobox when package is not present in project file (NuGet#4844) (NuGet#4848) Fix component detection alert for microsoft.owin package (NuGet#4841) (NuGet#4845) Make release label RC, move to escrow mode Adds special case to include transitive origins in GetInstalledAndTransitivePackagesAsync API (NuGet#4824) Add longPathAware manifest to NuGet.Build.Tasks.Console (NuGet#4830) VsPackageInstallerServices should not post ProjectNotNominatedException faults (NuGet#4814) Skip test GetOrCreateAsync_WithUnhandledExceptionInPlugin_Throws (NuGet#4831) Improve OptProf pipeline job run names (NuGet#4825) Increase HttpClientHandler.MaxConnectionsPerServer to 64 to improve PM UI performance in Visual Studio (NuGet#4798) Suppress CA2213 warnings to unblock dev branch (NuGet#4823) Ensure IsVsOfflineFeed is calculated correctly on 64-bit machines (NuGet#4817) Add better handling of AggregateExceptions in static graph-based restore (NuGet#4809) Add Component Detection task into each pipeline (NuGet#4813) Localizes nuget.exe with default, embedded resource assembly lookup (NuGet#4773) Removes BrowseObjectBase class in NuGet Solution Explorer (NuGet#4807) Improve TryCreateContext (NuGet#4762) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug
Fixes: NuGet/Home#12033
Regression? Last working version: No
Description
This PR updates NuGet signed package verification on Linux and macOS to use 2 separate fallback certificate bundles instead of 1.
Prior to this change, NuGet would use a single fallback certificate bundle which contained root certificates valid for both code signing and timestamping. Roots valid for only code signing or only timestamping were not in the certificate bundle because a consumer had no way of knowing which certificates were valid for which purpose(s).
With dotnet/sdk#27824, the .NET SDK will contain 2 separate fallback certificate bundles based on the Windows CTL:
This will provide NuGet with more complete data on publicly trusted certificates with which to make trust decisions.
Note that the above PR needs to be merged first, and the NuGet CI needs the updated .NET SDK build for all NuGet tests to pass. A few new tests will fail until this is resolved.
Note that this PR does not change the enablement default. Signed package verification is still opt-in on both Linux and macOS.
PR Checklist
PR has a meaningful title
PR has a linked issue.
Described changes
Tests
Documentation
CC @richlander, @aortiz-msft