@@ -38,6 +38,10 @@ internal class NuGetPackageDownloader : INuGetPackageDownloader
3838 private readonly Dictionary < PackageSource , SourceRepository > _sourceRepositories ;
3939 private readonly bool _shouldUsePackageSourceMapping ;
4040
41+ /// <summary>
42+ /// If true, the package downloader will verify the signatures of the packages it downloads.
43+ /// Temporarily disabled for macOS and Linux.
44+ /// </summary>
4145 private readonly bool _verifySignatures ;
4246 private readonly VerbosityOptions _verbosityOptions ;
4347 private readonly string _currentWorkingDirectory ;
@@ -65,7 +69,9 @@ public NuGetPackageDownloader(
6569 _restoreActionConfig = restoreActionConfig ?? new RestoreActionConfig ( ) ;
6670 _retryTimer = timer ;
6771 _sourceRepositories = new ( ) ;
68- _verifySignatures = verifySignatures ;
72+ // If windows or env variable is set, verify signatures
73+ _verifySignatures = verifySignatures && ( OperatingSystem . IsWindows ( ) ? true
74+ : bool . TryParse ( Environment . GetEnvironmentVariable ( NuGetSignatureVerificationEnabler . DotNetNuGetSignatureVerification ) , out var shouldVerifySignature ) ? shouldVerifySignature : OperatingSystem . IsLinux ( ) ) ;
6975
7076 _cacheSettings = new SourceCacheContext
7177 {
@@ -130,8 +136,17 @@ public async Task<string> DownloadPackageAsync(PackageId packageId,
130136 packageVersion . ToNormalizedString ( ) ) ) ;
131137 }
132138
133- await VerifySigning ( nupkgPath , repository ) ;
134-
139+ // Delete file if verification fails
140+ try
141+ {
142+ await VerifySigning ( nupkgPath , repository ) ;
143+ }
144+ catch ( NuGetPackageInstallerException )
145+ {
146+ File . Delete ( nupkgPath ) ;
147+ throw ;
148+ }
149+
135150 return nupkgPath ;
136151 }
137152
0 commit comments