Signing: enable signed package verification on Linux by default in .NET 6 SDK #4706
Conversation
Good call. I never thought about that. If a non-fallback location is used, will there be a similar message?
It would be good to reinforce that this is on macOS. It might be good to do the same thing ahead of that on Linux. That would then present a nice contrast. I was initially confused about all the failures and thought it was some weird set of test packages but then saw that it wasn't, and then realized what was intended. |
|
@richlander, I updated the comment, hopefully clarifying matters. These messages will be logged with verbose logging level. The 3 columns on the right show which operating systems you might see the messages on.
The last message would happen if, say, the fallback certificate bundle is missing or unreadable. |
|
The chart helps. Thanks and LGTM. |
|
@dtivel is there a plan for revocation checks on macOS? Will nuget.org require that all certificates have OCSP responders? |
|
We need to have a separate and broader plan for macOS (which includes this OCSP topic). We've briefly discussed that already (although not including OCSP). |
Bug
Fixes: NuGet/Home#11264, NuGet/Home#11263
Regression? Last working version: N/A
Description
This change enables signed package verification by default on Linux in .NET 6 SDK (6.0.4xx). This PR a re-do of #4585 by targeting .NET 6 SDK instead of .NET 7 SDK.
Windows
No changes. Signed package verification continues to be enabled.
macOS
Signed package verification is disabled by default in .NET 5 SDK onwards; however, currently users can opt in by setting the
DOTNET_NUGET_SIGNATURE_VERIFICATIONenvironment variable toTRUEsince #3986. In .NET 6 SDK, opting in will leverage a fallback certificate bundle as the X.509 trust store (versus the system's X.509 trust store). This trust store is a subset of the Windows CTL that is valid for both code signing and timestamping and will be distributed as part of the .NET 6 SDK. (The fallback certificate bundle was added to the dotnet/sdk repo via dotnet/sdk#25687.)We have a couple concerns on macOS for which we don't currently have a great story, so signed package verification remains disabled by default on macOS:
With this change, if a user chooses to opt in to signed package verification in the .NET 6 SDK despite these concerns, it means that NuGet will use the new fallback certificate bundle and not the system's X.509 trust store. Issues 1 & 2 would still apply and would prevent affected packages from installing successfully.
Linux
With this change, signed package verification will be enabled by default starting with .NET 6 SDK, but users can opt out by setting the
DOTNET_NUGET_SIGNATURE_VERIFICATIONenvironment variable toFALSE. When signed package verification is enabled, NuGet will prefer a system-provided certificate bundle valid for both code signing and timestamping, if available; otherwise, NuGet will use the fallback certificate bundle in the .NET 6 SDK. Details can be found here.The ability to opt out of signed package verification in the .NET 6 SDK on Linux is an escape hatch.
Testing
Existing tests (plus newly added ones) pass, though a handful which no longer make sense with the new default were removed on Linux. I've also done manual testing using a .NET 6 SDK patched with NuGet CI assemblies.
Linux
On Linux (Ubuntu 20.04.4 LTS), I tested using a patched .NET 6 SDK (6.0.400-preview.22322.20). Restoring signed packages with increased verbosity yields the following additional log message:
macOS
On macOS 12.4 (21F79), I tested using a patched .NET 6 SDK (6.0.400-preview.22322.20). By default, signature verification is skipped and restoring signed packages succeeds.
On macOS, opting in to signed package verification causes verification to fail (as expected):
detailed restore output
A lot of test infrastructure changes were required to make this work. In particular, the
TrustedTestCert<T>class, which was hard-coded to add/remove certificates to the system trust store, needed to be reworked to enable adding/removing certificates to a test-only, in-memory fallback certificate bundle. This approach is pretty cool and if used more broadly, could eliminate the need for elevation to modify system trust stores on test machines. Overall, this would improve speed and robustness of signing tests on all platforms. This PR doesn't do that though.Also, .NET SDK tests on non-Windows machines need to both modify in-memory trusted roots in order to generate test data (i.e.: a package signed with a test certificate) AND the on-disk trusted roots (in the test .NET SDK) in order to respect those same test roots when running in a separate process.
A new test fixture (
X509TrustTestFixture), when added to a test class/collection, automatically enables in-memory fallback certificate bundle support on non-Windows platforms.Specifications
The specifications for this change are:
PR Checklist
PR has a meaningful title
PR has a linked issue.
Described changes
Tests
Documentation
CC @richlander