-
Notifications
You must be signed in to change notification settings - Fork 252
Repository Signatures and Countersignatures Technical Specification
Status: Implemented
The discussion around this spec is tracked here - Repository Signatures and Countersignatures Technical Specification #6378
This specification updates the NuGet Package Signatures Technical Specification by defining repository signatures and repository countersignatures.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC 8174.
- ASN.1: Abstract Syntax Notation.One [ITU-T]
- CMS: cryptographic message syntax [RFC 5652]
- DER: Distinguished Encoding Rules [X.690]
- OID: object identifier [X.660]
The general requirements are:
- A signed package MAY contain either a repository signature or a repository countersignature.
- A signed package MUST NOT contain both a repository signature and a repository countersignature.
- A signed package MUST NOT contain more than 1 repository countersignature.
- If a repository signature is present, it MUST be the primary signature.
- If a repository countersignature is present, it MUST be a countersignature of the primary signature.
- Repository signatures and repository countersignatures MUST contain the signing repository's V3 service index URL.
If a repository signature exists, it MUST be the primary signature.
A repository signature or repository countersignature MAY satisfy the requirements of any CAdES [RFC 5126] signature but MUST satisfy CAdES-BES [RFC 5126] requirements with the following additional requirements:
- The
commitment-type-indication
attribute [RFC 5126] MUST be present. The attribute MUST include theid-cti-ets-proofOfReceipt
commitment type. - The
signing-certificate-v2
attribute [RFC 5126] MUST be present. The hash algorithm used in this attribute MUST be a supported hash algorithm. - The
signing-time
attribute [RFC 5652] MUST be present.
The following OID identifies the nuget-v3-service-index-url
attribute:
1.3.6.1.4.1.311.84.2.1.1.1
Repository signatures and repository countersignatures MUST have this attribute.
This attribute MUST be a signed attribute; it MUST NOT be an unsigned attribute. A CMS SignerInfo
MUST NOT include multiple instances of this attribute. This attribute MUST have exactly one attribute value. The attribute value has the ASN.1 type NuGetV3ServiceIndexUrl
:
NuGetV3ServiceIndexUrl ::= IA5String
The attribute value MUST be the DER-encoded, official repository V3 service index URL. The URL MUST be a syntactically valid HTTPS URL per RFC 7230.
The following OID identifies the nuget-package-owners
attribute:
1.3.6.1.4.1.311.84.2.1.1.2
Repository signatures and repository countersignatures MAY have this attribute but MUST NOT have the attribute if there are no package owners to include. At least one package owner MUST be included in the attribute value.
This attribute MUST be a signed attribute; it MUST NOT be an unsigned attribute. A CMS SignerInfo
MUST NOT include multiple instances of this attribute. This attribute MUST have exactly one attribute value. The attribute value has the ASN.1 type NuGetPackageOwners
:
NuGetPackageOwners ::= SEQUENCE SIZE (1..MAX) OF NuGetPackageOwner
NuGetPackageOwner ::= UTF8String (SIZE (1..MAX))
The attribute value MUST be DER encoded. Individual package owner strings MUST NOT be null, an empty string, or whitespace only (e.g.: using System.String.IsNullOrWhiteSpace(...)
).
A NuGet repository signing/countersigning certificate is a NuGet package signing certificate and MUST satisfy minimum requirements described here.
- NuGet Package Signatures Technical Specification
- RFC 2119: Key words for use in RFCs to Indicate Requirement Levels
- RFC 5652: Cryptographic Message Syntax (CMS)
- RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
- X.660: Information technology – Procedures for the operation of object identifier registration authorities: General procedures and top arcs of the international object identifier tree
- X.690: Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
Check out the proposals in the accepted
& proposed
folders on the repository, and active PRs for proposals being discussed today.