-
Notifications
You must be signed in to change notification settings - Fork 253
[Spec] NuGet Package Signing Client Policy
Status: Implemented
Parent spec - Repository-Signatures
Related Spec - Trusted Sources
As we enable author and repository package signing, we need to enable consumers to be able to control the NuGet package signing client policies. Further, the information needs to be stored into the users machine.
All NuGet package consumers.
Enable package consumers to store NuGet package signing client policies.
- Define NuGet package signing client policies.
- Update the schema for nuget.config file to be able to store NuGet package signing client policies.
- Define a gesture for users to be able to choose NuGet package signing client policies.
NuGet package signing client policies have been outlined in the Repository-Signatures spec. This spec proposes schema changes to nuget.config and user gestures.
We should store the selected client policy for the user in a nuget.config
file as a configuration.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<config>
<add key="signatureValidationMode" value="MODE" />
</config>
</configuration>
The key and value are case insensitive.
For example -
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
</configuration>
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
</configuration>
To set the NuGet package signing client policy, users can use the existing nuget config
command.
NuGet.exe config -set signatureValidationMode=accept
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
</configuration>
NuGet.exe config -set signatureValidationMode=require
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
</configuration>
NuGet.exe config -set signatureValidationMode=require
Before -
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
</configuration>
After -
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
</configuration>
NuGet.exe config -set signatureValidationMode=
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
</configuration>
If signatureValidationMode
is not set then NuGet Client should read that as accept
mode.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
</configuration>
The above config should be read as having signatureValidationMode=accept
.
If signatureValidationMode
is set to any value other than the supported modes, then NuGet Client should read that as accept
mode and warn the user with a message requesting them to fix the mode value.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="RANDOM" />
</config>
</configuration>
The above config should be read as having signatureValidationMode=accept
and the following message should be shown to the user -
NUxxxx: Invalid signatureValidationMode found in config file <path>. Defaulting to accept mode. Please set it to one of the supported modes by running the nuget config command.
For more information, visit http://docs.nuget.org/docs/reference/command-line-reference.
We should add support for the following in Visual Studio NuGet options control -
- Add a drop down menu to enable users to choose a NuGet package signing client policy -
- By default NuGet client should operate in accept mode where the client will perform author/repository/signedcms signature verification for packages which contain a valid signatures.
- If a user does not have any package sources then NuGet client should write down nuget.org as a package and trusted source and signatureValidationMode as accept into the user nuget.config file.
- NuGet client should respect any trusted source in user settings and perform complete repository signature verification for any package from those sources.
- In require mode NuGet client will only allow packages signed by a list of trusted sources or authors along with all the constraints of accept mode.
- If a package is signed by an author or source that is not trusted, then the operation should fail with an error.
Check out the proposals in the accepted
& proposed
folders on the repository, and active PRs for proposals being discussed today.