Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cross-Platform Sign Verify] Unexpected error NU3018 show after restoring project on Linux #10328

Closed
v-luzh opened this issue Nov 27, 2020 · 6 comments
Closed

[Cross-Platform Sign Verify] Unexpected error NU3018 show after restoring project on Linux #10328

v-luzh opened this issue Nov 27, 2020 · 6 comments
Labels
Found:ManualTests Functionality:Signing Platform:Xplat Priority:2 Issues for the current backlog. Type:Bug

Comments

@v-luzh
Copy link

v-luzh commented Nov 27, 2020
edited
Loading

Details about Problem

NuGet version: NuGet Client Dev\5.9.0.6972
VS Version: Main\30726.31
OS: Windows-10-Enterprise-19h2

Detailed repro steps

  1. On Windows VM, create a C# Class Library (.NET 5.0) package, make and update nuspec file for the package with command nuget spec.
  2. Pack the package with command nuget pack <packagename>.csproj, create a new test certificate: .\CreateTestCertificate.ps1 -AddAsTrustedRootAuthority -GenerateCerFile.
  3. Sign the package: NuGet.exe sign <PackageFilePath> -CertificatePath <PfxFilePath> -Timestamper http://timestamp.entrust.net/TSS/RFC3161sha2TS.
  4. Copy the .cer file and signed package from the above Windows machine to Linux machine.
  5. On Linux VM terminal, change the .cer to .crt format: openssl x509 -inform DER -in <.cer file path> -out <.crt file path>.
  6. Add the certificate(.crt) to trusted store:
cd /usr/local/share/ca-certificates/ 
sudo cp <.crt file path>  ./ 
sudo chmod 644 ./<.crt file name> 
sudo update-ca-certificates
  1. Create a project and add below package reference in the .csproj file.
  <ItemGroup> 
    <PackageReference Include="<packageName>" Version="<packageVersion>" /> 
  </ItemGroup>
  1. Add the feed(path contains the signed package), set required mode in nuget.config file with trusted signers list:
   <packageSources> 
      <add key="<anyname>" value="<signed package parent folder>" /> 
   </packageSources> 
   <config> 
    <add key="signatureValidationMode" value="require" /> 
   </config> 
  <trustedSigners> 
     <author name="JamieZhang">        
         <certificate fingerprint="XXXXXXXXX" hashAlgorithm="SHA256" allowUntrustedRoot="false" /> 
     </author> 
  </trustedSigners>
  1. Clear the cache: <patchedSDKPath>./dotnet nuget locals all –clear.
  2. Delete the /obj folder if there is any.
  3. Go inside the project folder, verify the package by running restore: <patchedSDKPath>./dotnet restore.

Expected Result

There were no errors or warnings, and restore is successful.

Actual Result

Unexpected error NU3018 show as below.
NU3018

Notes

  1. This bug only repro on Linux.
  2. It only repro on three test cases: "Cross-platform verify: signed and timestamped package", "Cross-platform verify: signed package with expired signing certificate" and "Cross-platform verify: tampered signed package ".
  3. It is not a regression.
@nkolev92
Copy link
Member

fyi @heng-liu, @kartheekp-ms

@nkolev92 nkolev92 added Priority:2 Issues for the current backlog. and removed Triage:NeedsTriageDiscussion labels Dec 7, 2020
@nkolev92
Copy link
Member

nkolev92 commented Dec 7, 2020

Triage: Assigning to @kartheekp-ms

@IvarWithoutBones IvarWithoutBones mentioned this issue Jan 25, 2021
Merged
10 tasks
@heng-liu
Copy link
Contributor

I could not repro for two test cases mentioned above:
"Cross-platform verify: signed and timestamped package" and "Cross-platform verify: tampered signed package ".

I could only repro for test case: "Cross-platform verify: signed package with expired signing certificate"

@heng-liu
Copy link
Contributor

heng-liu commented Feb 25, 2021
edited
Loading

If we build the chain for the expired self-issued certificate by using the following policy setting:

                chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;
                chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
                chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
                chain.ChainPolicy.VerificationTime = DateTime.Now;

The chain build on Linux is different from other platforms:
Chain status: "NotTimeValid,RevocationStatusUnknown,UntrustedRoot"
While on Windows the chain build is successful.

But if we build the chain for the expired leaf certificate issued by intermediate CA by using the same policy setting,
the chain build is successful for both Linux and Windows.

Since we use self-issued certificate for testing, but the packages on nuget.org uses a leaf certificate issued by intermediate certificate. It means the test fails but the real world works.
So the issue is that our test could not test the right scenario by using self-issued certificate.
I'm not sure if there is anyway to solve this problem so that we could test for the right scenario.

@heng-liu
Copy link
Contributor

Raised an issue in dotnet/runtime#48794

@aortiz-msft
Copy link
Contributor

@heng-liu, @v-luzh - Closing as dupe of dotnet/runtime#48794

@v-luzh v-luzh changed the title [Cross-Platform Signing] Unexpected error NU3018 show after restoring project on Linux [Cross-Platform Sign Verify] Unexpected error NU3018 show after restoring project on Linux Aug 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Found:ManualTests Functionality:Signing Platform:Xplat Priority:2 Issues for the current backlog. Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nkolev92 @v-luzh @heng-liu @kartheekp-ms @aortiz-msft