Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Spec]: add command for verifying signed packages #6005

Closed
dtivel opened this issue Oct 9, 2017 · 9 comments
Closed

[Spec]: add command for verifying signed packages #6005

dtivel opened this issue Oct 9, 2017 · 9 comments
Assignees
Milestone

Comments

@dtivel
Copy link
Contributor

dtivel commented Oct 9, 2017

https://github.com/NuGet/Home/wiki/NuGet-Verify-Command

@dtivel
Copy link
Contributor Author

dtivel commented Oct 9, 2017

A new command is necessary to verify a signed package from the command line. Use "signtool verify /v" as an inspiration.

@dtivel dtivel changed the title [Spec]: add "verify" command for verifying signed packages [Spec]: add command for verifying signed packages Oct 9, 2017
@PatoBeltran PatoBeltran self-assigned this Oct 9, 2017
@nkolev92
Copy link
Member

nkolev92 commented Oct 11, 2017

In all of our commands we have just 2 verbosity levels, detailed and normal.

I'm not saying that's great, in fact I think we should improve it, but we should discuss whether we want to keep the same pattern.

@PatoBeltran
Copy link

@nkolev92 nuget docs mention three level of verbosity... here a reference for push command

@nkolev92
Copy link
Member

    -Signer <cert_hash> … - Verify that the signer certificate matches with one of the specified hashes. 

I assume you mean cert fingerprint by cert_hash?
I think it should be consistent with the naming in the sign command.

@nkolev92
Copy link
Member

@PatoBeltran Ah, my bad.
Double checked it right now, I have seen cases in which we don't respect the quiet level so that had me confused.

@jariq
Copy link

jariq commented Nov 30, 2017

Some errors and warnings that should be displayed are:

Warnings

  • A signing certificate doesn't chain up to a trusted root
  • A timestamper certificate doesn't chain up to a trusted root

How will verification procedure acquire list of trusted roots?

@PatoBeltran
Copy link

PatoBeltran commented Dec 1, 2017

@jariq .NET's SignedCms object does the validation that the certificate chains up to a trusted root, therefore the verification procedure just needs to delegate that check to the certificate chain building engine in .NET

@rido-min
Copy link

rido-min commented Dec 4, 2017

nuget verify signature should show a similar output as signtool.exe. In detailed mode it shows the certificate chain, the signed hash and the timestamp value.

eg:

Verifying: nuget.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): AC3F2753CC08C76E30786DD766381127ABA1E2BF

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 15:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Mon Aug 31 14:29:32 2020
        SHA1 hash: 3CAF9BA2DB5570CAF76942FF99101B993888E257

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Sat Aug 11 12:11:15 2018
            SHA1 hash: 49D59D86505D82942A076388693F4FB7B21254EE

The signature is timestamped: Fri Nov 17 12:52:33 2017
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 15:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Time-Stamp PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Sat Apr 03 05:03:09 2021
        SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA
            Expires:   Fri Sep 07 09:58:50 2018
            SHA1 hash: 9D2361FA5394ACB4D0C59A07D23DFFFB50E37484


Successfully verified: nuget.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

@rrelyea rrelyea added this to the 4.6 milestone Jan 11, 2018
@rrelyea
Copy link
Contributor

rrelyea commented Jan 11, 2018

This work has been checked into 4.6 codebase. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants