【发布时间】:2019-12-04 15:32:46
【问题描述】:
我有一个用我自己的 CA 颁发的证书签名的包。
我用证书签署了一个 nuget 包。
当我在机器的信任库中添加根 CA 时,我可以使用 nuget 成功验证签名,使用
nuget verify test.nupkg -Signatures
但是,如果我从信任存储中删除根,而是将我的证书的指纹添加为受信任的签名者,在 nuget 中,将 allowUntrustedRoot 设置为 true,由于某种原因,我无法验证签名。
> nuget trusted-signers
Registered trusted signers:
1. MyCert [author]
Certificate fingerprint(s):
[U] SHA256 - 39544DEE346D61EB2FF5CF4A35EF4B42DE5B4641E1B9AAA098A2A5291F683631
但是
> nuget verify test.nupkg -Signatures
Verifying Test
C:\test.nupkg
Signature Hash Algorithm: SHA256
WARNING: NU3027: The signature should be timestamped to enable long-term signature validity after the certificate has expired.
Signature type: Author
Verifying the author primary signature with certificate:
Subject Name: CN=Test Certificate, OU=Test, C=BE
SHA1 hash: 679B1E503720C69D981B9CC4F0199D5D8593375A
SHA256 hash: 39544DEE346D61EB2FF5CF4A35EF4B42DE5B4641E1B9AAA098A2A5291F683631
Issued by: CN=Test Root, OU=Test, O=Test, C=BE
Valid from: 10/31/2019 10:29:54 AM to 9/24/2023 11:37:39 AM
NU3018: The author primary signature found a chain building issue: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
WARNING: NU3018: The author primary signature found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode.
WARNING: NU3018: The author primary signature found a chain building issue: The revocation function was unable to check revocation for the certificate.
Finished with 1 errors and 3 warnings.
Package signature validation failed.
如果未验证签名,添加受信任的签名者并将 allowUntrustedRoot 设置为 true 有什么意义。我的意思是,将根证书添加到信任库以验证签名显然就足够了,而无需对配置进行任何操作。
如果可能的话,我希望能够不在信任存储中导入根 CA,而只使用 Nuget 的配置来成功验证签名。
谢谢。
【问题讨论】:
-
这个问题最近解决了。更多详情:github.com/NuGet/NuGet.Client/pull/4396 将在下一个版本的 .net sdk 中。