-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signing: update to August 2022 CTL #4791
Conversation
7970845
to
75cda75
Compare
src/NuGet.Core/NuGet.Packaging/Signing/Utility/X509ChainHolder.cs
Outdated
Show resolved
Hide resolved
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/FallbackCertificateBundleX509ChainFactory.cs
Show resolved
Hide resolved
75cda75
to
e1d95e6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Some suggestions about the public APIs.
The line # looks scary, but once you hide tests, it's pretty easy to follow.
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/X509StorePurpose.cs
Outdated
Show resolved
Hide resolved
This PR has been automatically marked as stale because it has no activity for 7 days. It will be closed if no further activity occurs within another 7 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
1 similar comment
This PR has been automatically marked as stale because it has no activity for 7 days. It will be closed if no further activity occurs within another 7 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
c99258c
to
3965112
Compare
& powershell $DotNetInstall -Channel $cli.Channel -Quality signed -InstallDir $cli.Root -Version $cli.Version -Architecture $arch -NoPath | ||
Trace-Log "$DotNetInstall -Channel $($cli.Channel) -InstallDir $($cli.Root) -Version $($cli.Version) -Architecture $arch -NoPath" | ||
|
||
& powershell $DotNetInstall -Channel $cli.Channel -InstallDir $cli.Root -Version $cli.Version -Architecture $arch -NoPath |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed the Quality
argument here and in scripts/funcTests/runFuncTests.sh. Documentation says:
Don't use both version and quality parameters. When quality is specified, the script determines the proper version on its own.
[
Quality
is] Not applicable for current and LTS channels and will be ignored if one of those channels is used.
For some time, we have only effectively used Channel
and Version
.
@@ -332,6 +332,7 @@ public void PackCommand_PackToolUsingAlias_DoesNotWarnAboutNoExactMatchInDepende | |||
tfmProps["TargetFrameworkIdentifier"] = ".NETCoreApp"; | |||
tfmProps["TargetFrameworkVersion"] = "v3.1"; | |||
tfmProps["TargetFrameworkMoniker"] = ".NETCoreApp,Version=v3.1"; | |||
tfmProps["RuntimeFrameworkVersion"] = "6.0"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -1485,7 +1488,7 @@ public void PackCommand_PackProject_PacksFromNuspec_InstallPackageToOutputPath() | |||
} | |||
} | |||
|
|||
[PlatformTheory(Platform.Windows)] | |||
[PlatformTheory(Platform.Windows, Skip = "https://github.com/dotnet/sdk/issues/28131")] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve NuGet/Home#12033. Co-authored-by: Damon Tivel <dtivel@microsoft.com>
Insert 6.4.0-rc.123 into rel/d17.4 on 11/07/2022 23:47:12 * tag '6.4.0.123': (60 commits) fix a logic error that caused AbandonedMutexException while executing migrations (release-6.4.x) (NuGet#4895) unblock source build failing due to fatal: transport 'file' not allowed error (NuGet#4867) (NuGet#4874) Signing: update to August 2022 CTL (NuGet#4791) (NuGet#4850) Merged PR 422933: Prefer BCL Directory create API over helper class (7.0.1xx-rc2) Fix empty combobox when package is not present in project file (NuGet#4844) (NuGet#4848) Fix component detection alert for microsoft.owin package (NuGet#4841) (NuGet#4845) Make release label RC, move to escrow mode Adds special case to include transitive origins in GetInstalledAndTransitivePackagesAsync API (NuGet#4824) Add longPathAware manifest to NuGet.Build.Tasks.Console (NuGet#4830) VsPackageInstallerServices should not post ProjectNotNominatedException faults (NuGet#4814) Skip test GetOrCreateAsync_WithUnhandledExceptionInPlugin_Throws (NuGet#4831) Improve OptProf pipeline job run names (NuGet#4825) Increase HttpClientHandler.MaxConnectionsPerServer to 64 to improve PM UI performance in Visual Studio (NuGet#4798) Suppress CA2213 warnings to unblock dev branch (NuGet#4823) Ensure IsVsOfflineFeed is calculated correctly on 64-bit machines (NuGet#4817) Add better handling of AggregateExceptions in static graph-based restore (NuGet#4809) Add Component Detection task into each pipeline (NuGet#4813) Localizes nuget.exe with default, embedded resource assembly lookup (NuGet#4773) Removes BrowseObjectBase class in NuGet Solution Explorer (NuGet#4807) Improve TryCreateContext (NuGet#4762) ...
Bug
Fixes: NuGet/Home#12033
Regression? Last working version: No
Description
This PR updates NuGet signed package verification on Linux and macOS to use 2 separate fallback certificate bundles instead of 1.
Prior to this change, NuGet would use a single fallback certificate bundle which contained root certificates valid for both code signing and timestamping. Roots valid for only code signing or only timestamping were not in the certificate bundle because a consumer had no way of knowing which certificates were valid for which purpose(s).
With dotnet/sdk#27824, the .NET SDK will contain 2 separate fallback certificate bundles based on the Windows CTL:
This will provide NuGet with more complete data on publicly trusted certificates with which to make trust decisions.
Note that the above PR needs to be merged first, and the NuGet CI needs the updated .NET SDK build for all NuGet tests to pass. A few new tests will fail until this is resolved.
Note that this PR does not change the enablement default. Signed package verification is still opt-in on both Linux and macOS.
PR Checklist
PR has a meaningful title
PR has a linked issue.
Described changes
Tests
Documentation
CC @richlander, @aortiz-msft