Automate validation of Nuget signatures

[danmoseley]

We need to automate validation that our NuGet packages are signed.

Specifically this means running nuget verify -all on every nupkg after signing completes. If that fails, upload will fail later.

We should not rely on remembering to do this manually. Perhaps this is a dupe, but I can't find it.

@mmitche @shawnro

[jcagme]

@danmosemsft it is nuget verify, right?

FYI @JohnTortugo

[JohnTortugo]

We have a tool to perform that validation (also including the package content). The plan is to run the tool just before publishing the packages: #1444

[danmoseley]

@danmosemsft it is nuget verify, right?

fixed, thanks

[markwilkie]

related to #1933

[JohnTortugo]

I'm wondering if we still need nuget verify if we run SignCheck. AFAIU SignCheck already perform .nupkg signing validation and much more. What do you think @joeloff @tmat

[joeloff]

Probably not. SignCheck calls into the NuGet APIs to verify the package signature and it will also check the contents inside the nupkg (assuming you're running with -r). Right now for nupkgs it specifically checks that it was signed by PRSS, which it should be if it's something we're producing.

[JohnTortugo]

I'm closing this issue as SignCheck already perform such validation and we're going to use it in our builds.

[danmoseley]

Thanks!