public async Task VerifySignaturesAsync_ValidCertificateAndTimestamp_Success()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedAndTimeStampedPackageAsync(
testCertificate,
nupkg,
dir,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders, SignedPackageVerifierSettings.VerifyCommandDefaultPolicy);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.Valid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task <int> ExecuteCommandAsync(VerifyArgs verifyArgs)
{
if (verifyArgs.Verifications.Count == 0)
{
verifyArgs.Logger.LogError(string.Format(CultureInfo.CurrentCulture, Strings.VerifyCommand_VerificationTypeNotSupported));
return(FailureCode);
}
var errorCount = 0;
if (ShouldExecuteVerification(verifyArgs, Verification.Signatures))
{
var packagesToVerify = LocalFolderUtility.ResolvePackageFromPath(verifyArgs.PackagePath);
LocalFolderUtility.EnsurePackageFileExists(verifyArgs.PackagePath, packagesToVerify);
var verificationProviders = SignatureVerificationProviderFactory.GetSignatureVerificationProviders();
var verifier = new PackageSignatureVerifier(verificationProviders, SignedPackageVerifierSettings.VerifyCommandDefaultPolicy);
foreach (var package in packagesToVerify)
{
try
{
errorCount += await VerifySignatureForPackageAsync(package, verifyArgs.Logger, verifier);
}
catch (InvalidDataException e)
{
verifyArgs.Logger.LogError(string.Format(CultureInfo.CurrentCulture, Strings.VerifyCommand_PackageIsNotValid, package));
ExceptionUtilities.LogException(e, verifyArgs.Logger);
}
}
}
return(errorCount == 0 ? SuccessCode : FailureCode);
}
private async Task RestoreMissingPackagesInSolutionAsync(
string solutionDirectory,
IEnumerable <PackageRestoreData> packages,
ILogger logger,
CancellationToken token)
{
await TaskScheduler.Default;
using (var cacheContext = new SourceCacheContext())
{
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var downloadContext = new PackageDownloadContext(cacheContext)
{
ParentId = _nuGetProjectContext.OperationId,
ExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv3,
PackageExtractionBehavior.XmlDocFileSaveMode,
logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault())
};
await _packageRestoreManager.RestoreMissingPackagesAsync(
solutionDirectory,
packages,
_nuGetProjectContext,
downloadContext,
logger,
token);
}
}
public VsPathContextProvider(
IAsyncServiceProvider asyncServiceProvider,
Lazy <ISettings> settings,
Lazy <IVsSolutionManager> solutionManager,
Lazy <NuGet.Common.ILogger> logger)
{
_asyncServiceprovider = asyncServiceProvider ?? throw new ArgumentNullException(nameof(asyncServiceProvider));
_settings = settings ?? throw new ArgumentNullException(nameof(settings));
_solutionManager = solutionManager ?? throw new ArgumentNullException(nameof(solutionManager));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_getLockFileOrNullAsync = BuildIntegratedProjectUtility.GetLockFileOrNull;
_projectContext = new Lazy <INuGetProjectContext>(() => {
var projectContext = new VSAPIProjectContext();
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var adapterLogger = new LoggerAdapter(projectContext);
projectContext.PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
adapterLogger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(_settings.Value, adapterLogger));
return(projectContext);
});
}
public async Task VerifySignaturesAsync_SettingsRequireTimestamp_NoTimestamp_Fails()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var setting = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowUntrusted: false,
allowUntrustedSelfSignedCertificate: false,
allowIgnoreTimestamp: false,
allowMultipleTimestamps: true,
allowNoTimestamp: false,
allowUnknownRevocation: false);
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedPackageAsync(testCertificate, nupkg, dir);
var verifier = new PackageSignatureVerifier(_trustProviders, setting);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.Valid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
totalErrorIssues.Count().Should().Be(1);
totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3027);
}
}
}
protected NuGetPowerShellBaseCommand()
{
_sourceRepositoryProvider = ServiceLocator.GetInstance <ISourceRepositoryProvider>();
ConfigSettings = ServiceLocator.GetInstance <Configuration.ISettings>();
VsSolutionManager = ServiceLocator.GetInstance <IVsSolutionManager>();
DTE = ServiceLocator.GetInstance <DTE>();
SourceControlManagerProvider = ServiceLocator.GetInstance <ISourceControlManagerProvider>();
_commonOperations = ServiceLocator.GetInstance <ICommonOperations>();
PackageRestoreManager = ServiceLocator.GetInstance <IPackageRestoreManager>();
_deleteOnRestartManager = ServiceLocator.GetInstance <IDeleteOnRestartManager>();
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var logger = new LoggerAdapter(this);
PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(ConfigSettings, logger));
if (_commonOperations != null)
{
ExecutionContext = new IDEExecutionContext(_commonOperations);
}
ActivityCorrelationId.StartNew();
}
private Task InstallPackageAsync(string source, Project project, string packageId, NuGetVersion version, bool includePrerelease, bool ignoreDependencies)
{
IEnumerable <string> sources = null;
if (!string.IsNullOrEmpty(source) &&
!StringComparer.OrdinalIgnoreCase.Equals("All", source)) // "All" was supported in V2
{
sources = new[] { source };
}
var versionRange = VersionRange.All;
if (version != null)
{
versionRange = new VersionRange(version, true, version, true);
}
var toInstall = new List <PackageIdentity>
{
new PackageIdentity(packageId, version)
};
var projectContext = new VSAPIProjectContext();
var logger = new LoggerAdapter(projectContext);
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
projectContext.PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(_settings, logger));
return(InstallInternalAsync(project, toInstall, GetSources(sources), projectContext, includePrerelease, ignoreDependencies, CancellationToken.None));
}
public PackageReaderBase GetLocalPackage(string packagePath)
{
if (packagePath.StartsWith("~/", StringComparison.Ordinal))
{
packagePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), packagePath.Substring(2));
}
else
{
packagePath = Path.GetFullPath(packagePath);
}
var reader = new PackageArchiveReader(File.OpenRead(packagePath));
var identity = reader.GetIdentity();
var rootDirectory = Path.Combine(Path.GetTempPath(), "apidiffpackages");
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var context = new PackageExtractionContext(
PackageSaveMode.Defaultv3,
XmlDocFileSaveMode.None,
Logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault());
var resolver = new PackagePathResolver(rootDirectory);
PackageExtractor.ExtractPackageAsync(null, reader, resolver, context, default);
var packageFolder = resolver.GetInstallPath(identity);
return(new PackageFolderReader(packageFolder));
}
private async Task InstallPackageAsync(RemoteMatch installItem, CancellationToken token)
{
var packageIdentity = new PackageIdentity(installItem.Library.Name, installItem.Library.Version);
var verificationProviders = SignatureVerificationProviderFactory.GetSignatureVerificationProviders();
var signedPackageVerifier = new PackageSignatureVerifier(verificationProviders);
var versionFolderPathResolver = new VersionFolderPathResolver(_packagesDirectory);
var packageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv3,
XmlDocFileSaveMode.None,
_logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault());
using (var packageDependency = await installItem.Provider.GetPackageDownloaderAsync(
packageIdentity,
_cacheContext,
_logger,
token))
{
await PackageExtractor.InstallFromSourceAsync(
packageIdentity,
packageDependency,
versionFolderPathResolver,
packageExtractionContext,
token);
}
}
public async Task LoadSignatureDataAsync()
{
using (var reader = new PackageArchiveReader(_streamFactory(), false))
{
IsSigned = await reader.IsSignedAsync(CancellationToken.None);
if (IsSigned)
{
// Load signature and verification data
var sigs = await reader.GetSignaturesAsync(CancellationToken.None);
var reposigs = new List <SignatureInfo>();
RepositorySignatures = reposigs;
foreach (var sig in sigs)
{
// There will only be one
if (sig.Type == SignatureType.Author)
{
PublisherSignature = new SignatureInfo(sig);
}
if (sig.Type == SignatureType.Repository)
{
reposigs.Add(new SignatureInfo(sig));
}
}
// Check verification
var trustProviders = SignatureVerificationProviderFactory.GetSignatureVerificationProviders();
var verifier = new PackageSignatureVerifier(trustProviders, SignedPackageVerifierSettings.RequireSigned);
VerificationResult = await verifier.VerifySignaturesAsync(reader, CancellationToken.None);
}
}
}
public async Task Signer_VerifyOnTamperedPackage_FileDeletedAsync(string policyString)
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var policy = GetSettingsPolicy(policyString);
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, dir);
SignedArchiveTestUtility.TamperWithPackage(signedPackagePath);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, policy, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
totalErrorIssues.Count().Should().Be(1);
totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3008);
totalErrorIssues.First().Message.Should().Be(_packageTamperedError);
}
}
}
public async Task VerifySignaturesAsync_ValidCertificate_SuccessAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
using (TestDirectory dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, dir);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task GetTrustResultAsync_VerifyWithCertificateInAllowList_Success()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var certificateFingerprintString = SignatureTestUtility.GetFingerprint(testCertificate, HashAlgorithmName.SHA256);
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, dir);
var allowListHashes = new[] { certificateFingerprintString, "abc" };
var allowList = allowListHashes.Select(hash => new CertificateHashAllowListEntry(VerificationTarget.Primary, hash)).ToList();
var trustProviders = new[]
{
new AllowListVerificationProvider(allowList)
};
var verifier = new PackageSignatureVerifier(trustProviders, _settings);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
// Assert
result.Valid.Should().BeTrue();
}
}
}
public async Task VerifySignaturesAsync_ValidCertificateAndTimestampWithDifferentHashAlgorithms_Success()
{
var packageContext = new SimpleTestPackageContext();
var timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
using (var directory = TestDirectory.Create())
using (var certificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url,
signatureHashAlgorithm : HashAlgorithmName.SHA512);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
var result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
result.Valid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public async Task GetTrustResultAsync_WithSignedAndCountersignedPackage_Succeeds()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
using (var trusted = SigningTestUtility.GenerateTrustedTestCertificate())
using (var counterCertificate = new X509Certificate2(trusted.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
testCertificate,
nupkg,
dir);
var repositorySignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
counterCertificate,
signedPackagePath,
dir,
new Uri("https://v3ServiceIndex.test/api/index"));
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(repositorySignedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy(), CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.Valid.Should().BeTrue();
resultsWithErrors.Count().Should().Be(0);
}
}
}
public static async Task Extract(
Solution solution,
PackageIdentity packageIdentity,
DownloadResourceResult downloadResult,
CancellationToken token)
{
string globalPackagesFolder = await GetPackagesDirectory(solution);
var defaultPackagePathResolver = new VersionFolderPathResolver(globalPackagesFolder);
string hashPath = defaultPackagePathResolver.GetHashPath(packageIdentity.Id, packageIdentity.Version);
if (File.Exists(hashPath))
{
return;
}
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var packageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv3,
PackageExtractionBehavior.XmlDocFileSaveMode,
NullLogger.Instance,
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault());
downloadResult.PackageStream.Position = 0;
await PackageExtractor.InstallFromSourceAsync(
downloadResult.PackageSource,
packageIdentity,
stream => downloadResult.PackageStream.CopyToAsync(stream, BufferSize, token),
defaultPackagePathResolver,
packageExtractionContext,
token);
}
/// <summary>
/// Adds refresh files to the specified project for all assemblies references belonging to the packages
/// specified by packageNames.
/// </summary>
/// <param name="project">The project.</param>
/// <param name="repositoryPath">The file system pointing to 'packages' folder under the solution.</param>
/// <param name="packageNames">The package names.</param>
private void AddRefreshFilesForReferences(EnvDTE.Project project, string repositoryPath, IEnumerable <PackageIdentity> packageNames)
{
if (project == null)
{
throw new ArgumentNullException("project");
}
if (repositoryPath == null)
{
throw new ArgumentNullException("repositoryPath");
}
if (!packageNames.Any())
{
return;
}
VSAPIProjectContext context = new VSAPIProjectContext(skipAssemblyReferences: true, bindingRedirectsDisabled: true);
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
context.PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
new LoggerAdapter(context),
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault());
WebSiteProjectSystem projectSystem = new WebSiteProjectSystem(_vsProjectAdapterProvider.CreateAdapterForFullyLoadedProject(project), context);
foreach (var packageName in packageNames)
{
string packagePath = String.Format(CultureInfo.InvariantCulture, "{0}.{1}", packageName.Id, packageName.Version);
DirectoryInfo packageFolder = new DirectoryInfo(Path.Combine(repositoryPath, packagePath));
PackageFolderReader reader = new PackageFolderReader(packageFolder);
var frameworkGroups = reader.GetReferenceItems();
var groups = reader.GetReferenceItems();
var fwComparer = new NuGetFrameworkFullComparer();
FrameworkReducer reducer = new FrameworkReducer();
NuGetFramework targetGroupFramework = reducer.GetNearest(projectSystem.TargetFramework, groups.Select(e => e.TargetFramework));
if (targetGroupFramework != null)
{
var refGroup = groups.Where(e => fwComparer.Equals(targetGroupFramework, e.TargetFramework)).FirstOrDefault();
foreach (string refItem in refGroup.Items)
{
string sourcePath = Path.Combine(packageFolder.FullName, refItem.Replace('/', Path.DirectorySeparatorChar));
// create one refresh file for each assembly reference, as per required by Website projects
// projectSystem.CreateRefreshFile(assemblyPath);
RefreshFileUtility.CreateRefreshFile(projectSystem, sourcePath);
}
}
}
}
public VsPackageInstaller(
ISourceRepositoryProvider sourceRepositoryProvider,
Configuration.ISettings settings,
IVsSolutionManager solutionManager,
IVsPackageInstallerServices packageServices,
IDeleteOnRestartManager deleteOnRestartManager)
{
_sourceRepositoryProvider = sourceRepositoryProvider;
_settings = settings;
_solutionManager = solutionManager;
_packageServices = packageServices;
_deleteOnRestartManager = deleteOnRestartManager;
_isCPSJTFLoaded = false;
_projectContext = new Lazy <INuGetProjectContext>(() => {
var projectContext = new VSAPIProjectContext();
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var logger = new LoggerAdapter(projectContext);
projectContext.PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(_settings, logger));
return(projectContext);
});
PumpingJTF = new PumpingJTF(NuGetUIThreadHelper.JoinableTaskFactory);
}
public void InstallPackagesFromRegistryRepository(string keyName, bool isPreUnzipped, bool skipAssemblyReferences, bool ignoreDependencies, Project project, IDictionary <string, string> packageVersions)
{
if (string.IsNullOrEmpty(keyName))
{
throw new ArgumentException(CommonResources.Argument_Cannot_Be_Null_Or_Empty, nameof(keyName));
}
if (project == null)
{
throw new ArgumentNullException(nameof(project));
}
if (packageVersions == null ||
!packageVersions.Any())
{
throw new ArgumentException(CommonResources.Argument_Cannot_Be_Null_Or_Empty, nameof(packageVersions));
}
RunJTFWithCorrectContext(project, async() =>
{
// HACK !!! : This is a hack for PCL projects which send isPreUnzipped = true, but their package source
// (located at C:\Program Files (x86)\Microsoft SDKs\NuGetPackages) follows the V3
// folder version format.
if (isPreUnzipped)
{
var isProjectJsonProject = await EnvDTEProjectUtility.HasBuildIntegratedConfig(project);
isPreUnzipped = isProjectJsonProject ? false : isPreUnzipped;
}
// create a repository provider with only the registry repository
var repoProvider = new PreinstalledRepositoryProvider(ErrorHandler, _sourceRepositoryProvider);
repoProvider.AddFromRegistry(keyName, isPreUnzipped);
var toInstall = GetIdentitiesFromDict(packageVersions);
// Skip assembly references and disable binding redirections should be done together
var disableBindingRedirects = skipAssemblyReferences;
var projectContext = new VSAPIProjectContext(skipAssemblyReferences, disableBindingRedirects);
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var logger = new LoggerAdapter(projectContext);
projectContext.PackageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv2,
PackageExtractionBehavior.XmlDocFileSaveMode,
logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(_settings, logger));
await InstallInternalAsync(
project,
toInstall,
repoProvider,
projectContext,
includePrerelease: false,
ignoreDependencies: ignoreDependencies,
token: CancellationToken.None);
});
}
public static async Task <VerifySignaturesResult> VerifySignatureAsync(SignedPackageArchive signPackage, SignedPackageVerifierSettings settings)
{
var verificationProviders = new[] { new SignatureTrustAndValidityVerificationProvider() };
var verifier = new PackageSignatureVerifier(verificationProviders, settings);
var result = await verifier.VerifySignaturesAsync(signPackage, CancellationToken.None);
return(result);
}
public async Task <bool> VerifyAsync(string file, StringBuilder buffer)
{
if (file == null)
{
throw new ArgumentNullException(nameof(file));
}
if (buffer == null)
{
throw new ArgumentNullException(nameof(buffer));
}
var trustProviders = new ISignatureVerificationProvider[]
{
new IntegrityVerificationProvider(),
new SignatureTrustAndValidityVerificationProvider()
};
var verifier = new PackageSignatureVerifier(trustProviders);
try
{
var result = 0;
using (var package = new PackageArchiveReader(file))
{
var verificationResult = await verifier.VerifySignaturesAsync(package, SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy(), CancellationToken.None);
if (verificationResult.IsValid)
{
return(verificationResult.IsValid);
}
else
{
var logMessages = verificationResult.Results.SelectMany(p => p.Issues).Select(p => p.AsRestoreLogMessage()).ToList();
foreach (var msg in logMessages)
{
buffer.AppendLine(msg.Message);
}
if (logMessages.Any(m => m.Level >= NuGet.Common.LogLevel.Warning))
{
var errors = logMessages.Where(m => m.Level == NuGet.Common.LogLevel.Error).Count();
var warnings = logMessages.Where(m => m.Level == NuGet.Common.LogLevel.Warning).Count();
buffer.AppendLine($"Finished with {errors} errors and {warnings} warnings.");
result = errors;
}
return(false);
}
}
}
catch (Exception e)
{
logger.LogError(e, e.Message);
return(false);
}
}
public async Task <int> ExecuteCommandAsync(VerifyArgs verifyArgs)
{
if (verifyArgs.Verifications.Count == 0)
{
verifyArgs.Logger.LogError(string.Format(CultureInfo.CurrentCulture, Strings.VerifyCommand_VerificationTypeNotSupported));
return(FailureCode);
}
var errorCount = 0;
if (ShouldExecuteVerification(verifyArgs, Verification.Signatures))
{
var packagesToVerify = verifyArgs.PackagePaths.SelectMany(packagePath =>
{
var packages = LocalFolderUtility.ResolvePackageFromPath(packagePath);
LocalFolderUtility.EnsurePackageFileExists(packagePath, packages);
return(packages);
});
var allowListEntries = verifyArgs.CertificateFingerprint.Select(fingerprint =>
new CertificateHashAllowListEntry(
VerificationTarget.Author | VerificationTarget.Repository,
SignaturePlacement.PrimarySignature,
fingerprint,
_defaultFingerprintAlgorithm)).ToList();
var verifierSettings = SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy();
var verificationProviders = new List <ISignatureVerificationProvider>()
{
new IntegrityVerificationProvider(),
new SignatureTrustAndValidityVerificationProvider()
};
verificationProviders.Add(
new AllowListVerificationProvider(
allowListEntries,
requireNonEmptyAllowList: false,
noMatchErrorMessage: Strings.Error_NoMatchingCertificate));
var verifier = new PackageSignatureVerifier(verificationProviders);
foreach (var package in packagesToVerify)
{
try
{
errorCount += await VerifySignatureForPackageAsync(package, verifyArgs.Logger, verifier, verifierSettings);
}
catch (InvalidDataException e)
{
verifyArgs.Logger.LogError(string.Format(CultureInfo.CurrentCulture, Strings.VerifyCommand_PackageIsNotValid, package));
ExceptionUtilities.LogException(e, verifyArgs.Logger);
}
}
}
return(errorCount == 0 ? SuccessCode : FailureCode);
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync()
{
ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync();
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
var serviceOptions = new TimestampServiceOptions()
{
Accuracy = accuracy
};
TimestampService timestampService = TimestampService.Create(ca, serviceOptions);
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (testServer.RegisterResponder(timestampService))
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult result = results.Results.Single();
Assert.False(results.IsValid);
Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust);
Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));
Assert.Contains(result.Issues, issue =>
issue.Code == NuGetLogCode.NU3037 &&
issue.Level == LogLevel.Error &&
issue.Message.Contains("validity period has expired."));
}
}
}
public async Task ClientPolicies_WithoutSignerInTrustedSignersList_WithMatchingOwnersAsync(SigningTestType signature, string validationMode, bool expectedResult, int expectedErrors, int expectedWarnings)
{
// Arrange
using (var dir = TestDirectory.Create())
using (var authorCertificate = new X509Certificate2(_trustedAuthorTestCert.Source.Cert))
using (var repoCertificate = new X509Certificate2(_trustedRepoTestCert.Source.Cert))
{
var authorCertificateFingerprintString = SignatureTestUtility.GetFingerprint(authorCertificate, HashAlgorithmName.SHA256);
var repoCertificateFingerprintString = SignatureTestUtility.GetFingerprint(repoCertificate, HashAlgorithmName.SHA256);
var signedPackagePath = await CreateSignedPackageAsync(dir, signature, authorCertificate, repoCertificate);
var config = $@"
<configuration>
<config>
<add key=""signatureValidationMode"" value=""{validationMode}"" />
</config>
<trustedSigners>
<repository name=""repo1"" serviceIndex=""https://api.v3serviceIndex.test/json"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<owners>owner1</owners>
</repository>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, dir, config);
// Act and Assert
var settings = new Settings(dir);
var verifierSettings = SignedPackageVerifierSettings.GetClientPolicy(settings, NullLogger.Instance);
var trustProviders = new[]
{
new AllowListVerificationProvider()
};
var verifier = new PackageSignatureVerifier(trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, verifierSettings, CancellationToken.None);
var resultsWithWarnings = result.Results.Where(r => r.GetWarningIssues().Any());
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalWarningIssues = resultsWithWarnings.SelectMany(r => r.GetWarningIssues());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.Valid.Should().Be(expectedResult);
totalWarningIssues.Count().Should().Be(expectedWarnings);
totalErrorIssues.Count().Should().Be(expectedErrors);
}
}
}
public static async Task <DownloadResourceResult> AddPackageAsync(
string source,
PackageIdentity packageIdentity,
Stream packageStream,
string globalPackagesFolder,
Guid parentId,
ILogger logger,
CancellationToken token)
{
if (packageIdentity == null)
{
throw new ArgumentNullException(nameof(packageIdentity));
}
if (packageStream == null)
{
throw new ArgumentNullException(nameof(packageStream));
}
if (globalPackagesFolder == null)
{
throw new ArgumentNullException(nameof(globalPackagesFolder));
}
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
// The following call adds it to the global packages folder.
// Addition is performed using ConcurrentUtils, such that,
// multiple processes may add at the same time
var packageExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv3,
PackageExtractionBehavior.XmlDocFileSaveMode,
logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault());
var versionFolderPathResolver = new VersionFolderPathResolver(globalPackagesFolder);
await PackageExtractor.InstallFromSourceAsync(
source,
packageIdentity,
stream => packageStream.CopyToAsync(stream, BufferSize, token),
versionFolderPathResolver,
packageExtractionContext,
token,
parentId);
var package = GetPackage(packageIdentity, globalPackagesFolder);
Debug.Assert(package.PackageStream.CanSeek);
Debug.Assert(package.PackageReader != null);
return(package);
}
private PackageExtractionContext GetPathContext()
{
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
return(new PackageExtractionContext(
_request.PackageSaveMode,
_request.XmlDocFileSaveMode,
_request.Log,
signedPackageVerifier,
SignedPackageVerifierSettings.GetDefault()));
}
internal PackageExtractionContext GetPackageExtractionContext(ISettings settings)
{
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
return(new PackageExtractionContext(
PackageSaveMode,
PackageExtractionBehavior.XmlDocFileSaveMode,
Log,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(settings, Log)));
}
protected async Task CheckMissingPackagesAsync()
{
var solutionDirectory = VsSolutionManager.SolutionDirectory;
var packages = await PackageRestoreManager.GetPackagesInSolutionAsync(solutionDirectory, CancellationToken.None);
if (packages.Any(p => p.IsMissing))
{
var packageRestoreConsent = new PackageRestoreConsent(ConfigSettings);
if (packageRestoreConsent.IsGranted)
{
await TaskScheduler.Default;
using (var cacheContext = new SourceCacheContext())
{
var logger = new LoggerAdapter(this);
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var downloadContext = new PackageDownloadContext(cacheContext)
{
ParentId = OperationId,
ExtractionContext = new PackageExtractionContext(
PackageSaveMode.Defaultv3,
PackageExtractionBehavior.XmlDocFileSaveMode,
logger,
signedPackageVerifier,
SignedPackageVerifierSettings.GetClientPolicy(ConfigSettings, logger))
};
var result = await PackageRestoreManager.RestoreMissingPackagesAsync(
solutionDirectory,
packages,
this,
downloadContext,
logger,
Token);
if (result.Restored)
{
await PackageRestoreManager.RaisePackagesMissingEventForSolutionAsync(solutionDirectory, CancellationToken.None);
return;
}
}
}
ErrorHandler.HandleException(
new InvalidOperationException(Resources.Cmdlet_MissingPackages),
terminating: true,
errorId: NuGetErrorId.MissingPackages,
category: ErrorCategory.InvalidOperation);
}
}
public async Task VerifySignaturesAsync_WithExpiredPrimarySignature_ValidCountersignature_AndPrimarySignatureExpiredAtCountersignTime_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
var settings = new SignedPackageVerifierSettings(
allowUnsigned: false,
allowIllegal: false,
allowUntrusted: false,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true,
reportUnknownRevocation: true,
verificationTarget: VerificationTarget.All,
signaturePlacement: SignaturePlacement.Any,
repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExists,
revocationMode: RevocationMode.Online);
using (TestDirectory dir = TestDirectory.Create())
using (TrustedTestCert <TestCertificate> trustedCertificate = _testFixture.CreateTrustedTestCertificateThatWillExpireSoon())
using (var willExpireCert = new X509Certificate2(trustedCertificate.Source.Cert))
using (var repoTestCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
willExpireCert,
nupkg,
dir);
await SignatureTestUtility.WaitForCertificateExpirationAsync(willExpireCert);
string countersignedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
repoTestCertificate,
signedPackagePath,
dir,
TestServiceIndexUrl,
timestampService.Url);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(countersignedPackagePath))
{
// Act
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, settings, CancellationToken.None);
IEnumerable <PackageVerificationResult> resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
}
}
}
public override async Task ExecuteCommandAsync()
{
// Arguments[0] or Arguments[1] will not be null at this point.
// Because, this command has MinArgs set to 2.
var source = Arguments[0];
var destination = Arguments[1];
OfflineFeedUtility.ThrowIfInvalidOrNotFound(
source,
isDirectory: true,
resourceString: LocalizedResourceManager.GetString(nameof(NuGetResources.InitCommand_FeedIsNotFound)));
// If the Destination Feed Folder does not exist, it will be created.
OfflineFeedUtility.ThrowIfInvalid(destination);
var packagePaths = GetPackageFilePaths(source, "*" + PackagingCoreConstants.NupkgExtension);
if (packagePaths.Count > 0)
{
var signedPackageVerifier = new PackageSignatureVerifier(SignatureVerificationProviderFactory.GetSignatureVerificationProviders());
var signingSettings = SignedPackageVerifierSettings.GetClientPolicy(Settings, Console);
var packageExtractionContext = new PackageExtractionContext(
Expand ? PackageSaveMode.Defaultv3 : PackageSaveMode.Nuspec | PackageSaveMode.Nupkg,
PackageExtractionBehavior.XmlDocFileSaveMode,
Console,
signedPackageVerifier,
signingSettings);
foreach (var packagePath in packagePaths)
{
var offlineFeedAddContext = new OfflineFeedAddContext(
packagePath,
destination,
Console, // IConsole is an ILogger
throwIfSourcePackageIsInvalid: false,
throwIfPackageExistsAndInvalid: false,
throwIfPackageExists: false,
extractionContext: packageExtractionContext);
await OfflineFeedUtility.AddPackageToSource(offlineFeedAddContext, CancellationToken.None);
}
}
else
{
var message = string.Format(
CultureInfo.CurrentCulture,
LocalizedResourceManager.GetString(nameof(NuGetResources.InitCommand_FeedContainsNoPackages)),
source);
Console.LogMinimal(message);
}
}
