Repository Signatures #6378
Comments
|
That looks like a solid spec! One remark: the matrix at the end has Also:
Any pointers as to what type of certificate would be needed? |
|
@maartenba I omitted the Strict mode intentionally. It will be covered in more detail with the Client Policies spec. The certificate requirements will be the same as for author signatures. Code Signing, RSA 2048, SHA256 and so on. |
rrelyea
added
the
Priority:1
|
We are now feature complete in 15.7. Closing this issue. |
|
Are packages released for working with these? |
|
@maartenba Yes, latest |
|
Seems these aren't in the latest stable 4.6.2? |
|
Correct. |
|
Ok found it all in 4.7 prereleases. One thing I did not immediately find in the spec. Imagine a MyGet feed proxies NuGet.org (essentially a read from www.myget.org that just streams the package from www.nuget.org). Will we have to strip the repo signature, or can www.myget.org serve a NuGet.org repo-signed package? In other words, is this supported? Or is this the only way? |
|
I don't think there's any reason you'd need to strip the repo sig. It tells you where it came from. |
|
True. But then the question is: is the NuGet client going to like MyGet serving a package that has a NuGet.org repo signature? |
|
(also NuGet.org will remove other repo signature of available, hence the question) |
|
MyGet or any other feed can serve NuGet.org repository signed/countersigned packages without having to strip the NuGet.org signature/countersignature. However, if the serving feed goes out of its way to claim that it repository signs/countersigns packages with a different certificate, the NuGet client will block NuGet.org-signed/-countersigned packages from that feed. It'll appear as though the feed might have been compromised, serving a package signed with one signer while the feed tells the client to expect a different signer. The way a feed tells a client to expect packages signed with specific repository signing certificates is roughly described here. CC @rido-min |
|
Hmmmz... So what would be the best way of including the NuGet signature in our feed? Ideally there would be a way to delegate signature info, we'd rather not have to update the list of certificates on our side with those on NuGet.org side. |
|
After going through repository signatures a bit deeper, here are a few thoughts that I think could use some clarification. Change package owners
Proxy scenario
Virtual feeds scenarioMyGet has "pre-authenticated" feeds, where the repo is essentially the same, but the URL may look different per user. VSTS has virtual feeds with "views" that are part of the repository URL (where each view is a virtual feed that holds a subset of packages on the base feed). Since repo signatures contain a signed V3 index URL, can a package from a virtual feed be signed with the URL of the base feed? IF yes, awesome! If no, would this mean a package has to be re-repo signed on download, instead of once on ingestion? (also can we re-open this issue? the spec is still in "Status: Reviewing" so the discussion should stay open imo :-)) |
|
@maartenba, thanks for your feedback, I'm reopening this issue while the spec is "in review" Change Package ownersThe purpose of the package owners field is to capture who were the package owners at the time of submission. NuGet.org is not going to resign the package if the owners change but other repositories can re-sign those packages if they want. Proxy ScenarioRepo A can publish signed packages from repo B without including those certificates in the announcement. But before making any recommendation I'd like to understand your scenario. Virtual FeedsYes, the design decouples the current location of the package from the repository that originaly signed it. |
|
Thanks! That helps. |
|
Note to self on proxy/virtual feeds -> #6880 |
|
Not sure if the page is just historical specification, or it must match the implemented behavior, but: The spec is outdated with regards to As I understand the implemented feature, trusted author candidates are the configuration Also, some
|
|
Hi @vuplea, Certainly the spec was written before the implementation and could be some minor differences. Regarding Author Trust: In "accept mode" NuGet clients will install any package, and will produce a warning if signed with an untrusted cert. In require mode, the author/repo must be explicitly trusted. The Client Validation Matrix for require mode shows how repo-signed packages with untrusted certs are rejected. If you see a different behavior, please file an issue. Thanks for your feedback, |
Status: Reviewing
Use this issue to discuss the Repository Signatures spec.
The text was updated successfully, but these errors were encountered: