[Spec]: add command for verifying signed packages

[dtivel]

https://github.com/NuGet/Home/wiki/NuGet-Verify-Command

[dtivel]

A new command is necessary to verify a signed package from the command line. Use "signtool verify /v" as an inspiration.

[nkolev92]

In all of our commands we have just 2 verbosity levels, detailed and normal.

I'm not saying that's great, in fact I think we should improve it, but we should discuss whether we want to keep the same pattern.

[PatoBeltran]

@nkolev92 nuget docs mention three level of verbosity... here a reference for push command

[nkolev92]

    -Signer <cert_hash> … - Verify that the signer certificate matches with one of the specified hashes. 

I assume you mean cert fingerprint by cert_hash?
I think it should be consistent with the naming in the sign command.

[nkolev92]

@PatoBeltran Ah, my bad.
Double checked it right now, I have seen cases in which we don't respect the quiet level so that had me confused.

[jariq]

Some errors and warnings that should be displayed are:

Warnings

• A signing certificate doesn't chain up to a trusted root
• A timestamper certificate doesn't chain up to a trusted root

How will verification procedure acquire list of trusted roots?

[PatoBeltran]

@jariq .NET's SignedCms object does the validation that the certificate chains up to a trusted root, therefore the verification procedure just needs to delegate that check to the certificate chain building engine in .NET

[rido-min]

nuget verify signature should show a similar output as signtool.exe. In detailed mode it shows the certificate chain, the signed hash and the timestamp value.

eg:

Verifying: nuget.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): AC3F2753CC08C76E30786DD766381127ABA1E2BF

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 15:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Mon Aug 31 14:29:32 2020
        SHA1 hash: 3CAF9BA2DB5570CAF76942FF99101B993888E257

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Sat Aug 11 12:11:15 2018
            SHA1 hash: 49D59D86505D82942A076388693F4FB7B21254EE

The signature is timestamped: Fri Nov 17 12:52:33 2017
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 15:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Time-Stamp PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Sat Apr 03 05:03:09 2021
        SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA
            Expires:   Fri Sep 07 09:58:50 2018
            SHA1 hash: 9D2361FA5394ACB4D0C59A07D23DFFFB50E37484


Successfully verified: nuget.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

[rrelyea]

This work has been checked into 4.6 codebase. Closing.