private Task <PackageVerificationResult> VerifyAllowListAsync(ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings) { throw new NotSupportedException(); }
public Task <PackageVerificationResult> GetTrustResultAsync(ISignedPackageReader package, PrimarySignature signature, SignedPackageVerifierSettings settings, CancellationToken token) { return(VerifyAllowListAsync(package, signature, settings)); }
/// <summary> /// Adds a trusted signer item to the settings based a signed package. /// </summary> /// <param name="name">Name of the trusted signer.</param> /// <param name="package">Package to read signature from.</param> /// <param name="trustTarget">Signature to trust from package.</param> /// <param name="allowUntrustedRoot">Specifies if allowUntrustedRoot should be set to true.</param> /// <param name="owners">Trusted owners that should be set when trusting a repository.</param> /// <param name="token">Cancellation token for async request</param> public async Task AddTrustedSignerAsync(string name, ISignedPackageReader package, VerificationTarget trustTarget, bool allowUntrustedRoot, IEnumerable <string> owners, CancellationToken token) { if (package == null) { throw new ArgumentNullException(nameof(package)); } if (string.IsNullOrEmpty(name)) { throw new ArgumentException(Strings.ArgumentCannotBeNullOrEmpty, nameof(name)); } if (!Enum.IsDefined(typeof(VerificationTarget), trustTarget) || (trustTarget != VerificationTarget.Repository && trustTarget != VerificationTarget.Author)) { throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Strings.Error_UnsupportedTrustTarget, trustTarget.ToString())); } if (trustTarget == VerificationTarget.Author && owners != null && owners.Any()) { throw new ArgumentException(Strings.Error_TrustedAuthorNoOwners); } token.ThrowIfCancellationRequested(); string v3ServiceIndex = null; IRepositorySignature repositorySignature = null; var trustingRepository = trustTarget.HasFlag(VerificationTarget.Repository); var primarySignature = await package.GetPrimarySignatureAsync(token); if (primarySignature == null) { throw new InvalidOperationException(Strings.Error_PackageNotSigned); } if (trustingRepository) { if (primarySignature.Type == SignatureType.Repository) { repositorySignature = primarySignature as RepositoryPrimarySignature; } else { var countersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature); repositorySignature = countersignature ?? throw new InvalidOperationException(Strings.Error_RepoTrustExpectedRepoSignature); } v3ServiceIndex = repositorySignature.V3ServiceIndexUrl.AbsoluteUri; } ValidateNoExistingSigner(name, v3ServiceIndex, trustingRepository); if (trustingRepository) { var certificateItem = GetCertificateItemForSignature(repositorySignature, allowUntrustedRoot); _trustedSignersProvider.AddOrUpdateTrustedSigner(new RepositoryItem(name, v3ServiceIndex, CreateOwnersList(owners), certificateItem)); await _logger.LogAsync(LogLevel.Minimal, string.Format(CultureInfo.CurrentCulture, Strings.SuccessfullyAddedTrustedRepository, name)); } else { if (primarySignature.Type != SignatureType.Author) { throw new InvalidOperationException(Strings.Error_AuthorTrustExpectedAuthorSignature); } var certificateItem = GetCertificateItemForSignature(primarySignature, allowUntrustedRoot); _trustedSignersProvider.AddOrUpdateTrustedSigner(new AuthorItem(name, certificateItem)); await _logger.LogAsync(LogLevel.Minimal, string.Format(CultureInfo.CurrentCulture, Strings.SuccessfullyAddedTrustedAuthor, name)); } }
public Task <VerifySignaturesResult> VerifySignaturesAsync(ISignedPackageReader package, CancellationToken token, Guid parentId) { return(Task.FromResult(new VerifySignaturesResult(valid: true))); }
public async Task <VerifySignaturesResult> VerifySignaturesAsync(ISignedPackageReader package, CancellationToken token, Guid parentId = default(Guid)) { var valid = false; var trustResults = new List <PackageVerificationResult>(); using (var telemetry = new TelemetryActivity(parentId)) { var isSigned = await package.IsSignedAsync(token); if (isSigned) { try { var signature = await package.GetPrimarySignatureAsync(token); if (signature != null) { // Verify that the signature is trusted var sigTrustResults = await Task.WhenAll(_verificationProviders.Select(e => e.GetTrustResultAsync(package, signature, _settings, token))); valid = IsValid(sigTrustResults, _settings); trustResults.AddRange(sigTrustResults); } else { valid = false; } } catch (SignatureException e) { // SignatureException generated while parsing signatures var issues = new[] { SignatureLog.Issue(!_settings.AllowIllegal, e.Code, e.Message), SignatureLog.DebugLog(e.ToString()) }; trustResults.Add(new InvalidSignaturePackageVerificationResult(SignatureVerificationStatus.Illegal, issues)); valid = _settings.AllowIllegal; } catch (CryptographicException e) { // CryptographicException generated while parsing the SignedCms object var issues = new[] { SignatureLog.Issue(!_settings.AllowIllegal, NuGetLogCode.NU3003, Strings.ErrorPackageSignatureInvalid), SignatureLog.DebugLog(e.ToString()) }; trustResults.Add(new InvalidSignaturePackageVerificationResult(SignatureVerificationStatus.Illegal, issues)); valid = _settings.AllowIllegal; } } else if (_settings.AllowUnsigned) { // An unsigned package is valid only if unsigned packages are allowed. valid = true; } else { var issues = new[] { SignatureLog.Issue(fatal: true, code: NuGetLogCode.NU3004, message: Strings.ErrorPackageNotSigned) }; trustResults.Add(new UnsignedPackageVerificationResult(SignatureVerificationStatus.Illegal, issues)); valid = false; } var status = valid ? NuGetOperationStatus.Succeeded : NuGetOperationStatus.Failed; telemetry.TelemetryEvent = new PackageSigningTelemetryEvent(isSigned ? PackageSignType.Signed : PackageSignType.Unsigned, status); return(new VerifySignaturesResult(valid, trustResults)); } }