diff --git a/docs/core/compatibility/10.md b/docs/core/compatibility/10.md index e3705fdec883e..bfe53918c16ec 100644 --- a/docs/core/compatibility/10.md +++ b/docs/core/compatibility/10.md @@ -140,6 +140,7 @@ See [Breaking changes in EF Core 10](/ef/core/what-is-new/ef-core-10.0/breaking- | [NUGET_ENABLE_ENHANCED_HTTP_RETRY environment variable removed](sdk/10.0/nuget-enhanced-http-retry-removed.md) | Behavioral change | | [NuGet logs an error for invalid package IDs](sdk/10.0/nuget-packageid-validation.md) | Behavioral change | | [`ToolCommandName` not set for non-tool packages](sdk/10.0/toolcommandname-not-set.md) | Source incompatible | +| [`dotnet nuget verify` outputs CRL and OCSP URLs](sdk/10.0/dotnet-nuget-verify-crl-ocsp-urls.md) | Behavioral change | ## Serialization diff --git a/docs/core/compatibility/sdk/10.0/dotnet-nuget-verify-crl-ocsp-urls.md b/docs/core/compatibility/sdk/10.0/dotnet-nuget-verify-crl-ocsp-urls.md new file mode 100644 index 0000000000000..c999001d9bcfe --- /dev/null +++ b/docs/core/compatibility/sdk/10.0/dotnet-nuget-verify-crl-ocsp-urls.md @@ -0,0 +1,77 @@ +--- +title: "Breaking change: dotnet nuget verify outputs CRL and OCSP URLs" +description: "Learn about the breaking change in .NET 10 where dotnet nuget verify outputs CRL and OCSP URLs for each certificate in the signature chain." +ms.date: 05/05/2026 +ai-usage: ai-assisted +--- + +# `dotnet nuget verify` outputs CRL and OCSP URLs + +Starting in .NET 10.0.400, `dotnet nuget verify` outputs Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) URLs for each certificate in the signature chain. + +## Version introduced + +.NET 10.0.400 SDK + +## Previous behavior + +Previously, `dotnet nuget verify` displayed certificate details such as subject name, SHA1 hash, SHA256 hash, issuer, and validity period, but didn't include CRL or OCSP URLs. + +``` +Verifying NuGet.Versioning.7.0.0 +Content hash: vMEhpystjAmHzWARE09PjYMWOiGgM+f9rJYMcXGs8soz9/url4qmU9O9Y+hy22kPuqozCMoGcJt0JzKRZ1woZg== +C:\Users\user\.nuget\packages\nuget.versioning\7.0.0\nuget.versioning.7.0.0.nupkg +Signature Hash Algorithm: SHA256 + +Signature type: Author +Verifying the author primary signature with certificate: + Subject Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + SHA1 hash: F25C45D17C53D4E0D1DC9FB9DFD0731FCF904B77 + SHA256 hash: 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353 + Issued by: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US + Valid from: 2023-07-27 9:30:00 AM to 2026-10-18 10:29:59 AM +``` + +## New behavior + +Starting in .NET 10.0.400 SDK, CRL URL and OCSP URL lines appear after the certificate validity period. A certificate can have multiple CRL URLs. + +``` +Verifying NuGet.Versioning.7.0.0 +Content hash: vMEhpystjAmHzWARE09PjYMWOiGgM+f9rJYMcXGs8soz9/url4qmU9O9Y+hy22kPuqozCMoGcJt0JzKRZ1woZg== +C:\Users\user\.nuget\packages\nuget.versioning\7.0.0\nuget.versioning.7.0.0.nupkg +Signature Hash Algorithm: SHA256 + +Signature type: Author +Verifying the author primary signature with certificate: + Subject Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + SHA1 hash: F25C45D17C53D4E0D1DC9FB9DFD0731FCF904B77 + SHA256 hash: 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353 + Issued by: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US + Valid from: 2023-07-27 9:30:00 AM to 2026-10-18 10:29:59 AM + CRL URL: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl + CRL URL: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl + OCSP URL: http://ocsp.digicert.com +``` + +## Type of breaking change + +This change is a [behavioral change](../../categories.md#behavioral-change). + +## Reason for change + +Some users asked NuGet to provide a full list of URLs or hosts that NuGet accesses during a restore, and to explain why NuGet makes HTTP (rather than HTTPS) requests. The CRL and OCSP URLs in certificate chains are the source of these HTTP requests. Displaying these URLs in `dotnet nuget verify` output lets users discover this information without needing to capture network traces. + +For more information, see the [NuGet.Client pull request #7343](https://github.com/NuGet/NuGet.Client/pull/7343). + +## Recommended action + +If you use `dotnet nuget verify` in automation and parse its output, update your parsing logic to handle the new `CRL URL` and `OCSP URL` fields. Certificate information blocks no longer have unique keys; a certificate can have multiple `CRL URL` entries. + +## Affected APIs + +None. + +## See also + +- [`dotnet nuget verify`](../../../tools/dotnet-nuget-verify.md) diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml index 327c0135cd2f8..21b8585807e76 100644 --- a/docs/core/compatibility/toc.yml +++ b/docs/core/compatibility/toc.yml @@ -224,6 +224,8 @@ items: href: sdk/10.0/prune-packagereference-privateassets.md - name: "'ToolCommandName' not set for non-tool packages" href: sdk/10.0/toolcommandname-not-set.md + - name: "`dotnet nuget verify` outputs CRL and OCSP URLs" + href: sdk/10.0/dotnet-nuget-verify-crl-ocsp-urls.md - name: Serialization items: - name: System.Text.Json checks for property name conflicts diff --git a/docs/core/tools/dotnet-nuget-verify.md b/docs/core/tools/dotnet-nuget-verify.md index a851c854e36d2..1cde0ce8a97bf 100644 --- a/docs/core/tools/dotnet-nuget-verify.md +++ b/docs/core/tools/dotnet-nuget-verify.md @@ -27,7 +27,10 @@ dotnet nuget verify -h|--help ## Description The `dotnet nuget verify` command verifies a signed NuGet package. -In .NET 10 and later versions, the command also outputs the package's content hash, which might be useful to investigate lock file validation errors. +In .NET 10 and later versions, the command also outputs: + +- The package's content hash, which might be useful to investigate lock file validation errors. +- The Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) URLs for each certificate in the signature chain. For more information, see the [breaking change notice](../compatibility/sdk/10.0/dotnet-nuget-verify-crl-ocsp-urls.md). > [!NOTE] > This command requires a certificate root store that is valid for both code signing and timestamping. Also, this command may not be supported on some combinations of operating system and .NET SDK. For more information, see [NuGet signed package verification](nuget-signed-package-verification.md). @@ -69,10 +72,14 @@ In .NET 10 and later versions, the command also outputs the package's content ha `Timestamp Certificate -> Validity period`| ❌ | ❌ | ✔️ | ✔️ | ✔️ `Timestamp Certificate -> SHA1 hash`| ❌ | ❌ | ✔️ | ✔️ | ✔️ `Timestamp Certificate -> Subject name`| ❌ | ❌ | ✔️ | ✔️ | ✔️ + `Timestamp Certificate -> CRL URL (If applicable)`| ❌ | ❌ | ✔️ | ✔️ | ✔️ + `Timestamp Certificate -> OCSP URL (If applicable)`| ❌ | ❌ | ✔️ | ✔️ | ✔️ `Author/Repository Certificate -> Subject name`| ❌ | ✔️ | ✔️ | ✔️ | ✔️ `Author/Repository Certificate -> SHA-256 hash`| ❌ | ✔️ | ✔️ | ✔️ | ✔️ `Author/Repository Certificate -> Validity period`| ❌ | ✔️ | ✔️ | ✔️ | ✔️ `Author/Repository Certificate -> Service index URL (If applicable)`| ❌ | ✔️ | ✔️ | ✔️ | ✔️ + `Author/Repository Certificate -> CRL URL (If applicable)`| ❌ | ✔️ | ✔️ | ✔️ | ✔️ + `Author/Repository Certificate -> OCSP URL (If applicable)`| ❌ | ✔️ | ✔️ | ✔️ | ✔️ `Package name being verified` | ❌ | ✔️ | ✔️ | ✔️ | ✔️ `Type of signature (author or repository)`| ❌ | ✔️ | ✔️ | ✔️ | ✔️