public void Verify_MultipleSignedPackagesWithWildCardAndDetailedVerbosity_MixedResults()
{
// Arrange
using (var testDirectory1 = TestDirectory.Create())
{
using (var testDirectory2 = TestDirectory.Create())
{
var packagX = new FileInfo(Path.Combine(testDirectory1, "TestPackage.AuthorSigned.1.0.0.nupkg"));
var bPackageX = SigningTestUtility.GetResourceBytes(packagX.Name);
File.WriteAllBytes(packagX.FullName, bPackageX);
var packageY = new FileInfo(Path.Combine(testDirectory2, "Test.Reposigned.1.0.0.nupkg"));
var bpackageY = SigningTestUtility.GetResourceBytes(packageY.Name);
File.WriteAllBytes(packageY.FullName, bpackageY);
//Act
var result = _msbuildFixture.RunDotnet(
testDirectory1,
$"nuget verify {packagX.FullName} {Path.Combine(testDirectory2, "*.nupkg")} -v d",
ignoreExitCode: true);
result.Success.Should().BeFalse(because: result.AllOutput);
result.AllOutput.Should().Contain("Successfully verified package 'TestPackage.AuthorSigned.1.0.0'.");
result.AllOutput.Should().Contain($"Verifying Test.Reposigned.1.0.0");
result.AllOutput.Should().Contain(_primarySignatureInvalidErrorCode);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
}
public void IsSigned_WithCorrectSignatureFileEntry_ReturnsTrue()
{
using (var test = new Test(SigningTestUtility.GetResourceBytes("SignatureFileEntry.zip")))
{
var isSigned = SignedPackageArchiveUtility.IsSigned(test.Reader);
Assert.True(isSigned);
}
}
public void IsZip64_WithCentralDirectoryHeaderWithZip64ExtraField_ReturnsTrue()
{
using (var test = new Test(SigningTestUtility.GetResourceBytes("CentralDirectoryHeaderWithZip64ExtraField.zip")))
{
var isZip64 = SignedPackageArchiveUtility.IsZip64(test.Reader);
Assert.True(isZip64);
}
}
public void GetPackageContentHash_WithCompressedSignatureFileEntry_NotThrows()
{
using (var test = new Test(SigningTestUtility.GetResourceBytes("SignatureFileWithDeflateCompressionMethodAndDefaultCompressionLevel.zip")))
{
var contentHash = SignedPackageArchiveUtility.GetPackageContentHash(test.Reader);
Assert.NotNull(contentHash);
}
}
public void IsZip64_WithEmptyZip64_ReturnsTrue()
{
using (var test = new Test(SigningTestUtility.GetResourceBytes("EmptyZip64.zip")))
{
var isZip64 = SignedPackageArchiveUtility.IsZip64(test.Reader);
Assert.True(isZip64);
}
}
public void OpenPackageSignatureFileStream_WithCompressedSignatureFileEntry_Throws()
{
using (var test = new Test(SigningTestUtility.GetResourceBytes("SignatureFileWithDeflateCompressionMethodAndDefaultCompressionLevel.zip")))
{
var exception = Assert.Throws <SignatureException>(
() => SignedPackageArchiveUtility.OpenPackageSignatureFileStream(test.Reader));
Assert.Equal("The package signature file entry is invalid. The central directory header field 'compression method' has an invalid value (8).", exception.Message);
Assert.Equal(NuGetLogCode.NU3005, exception.Code);
}
}
public void OpenPackageSignatureFileStream_WithIncorrectSignatureFileName_Throws()
{
using (var test = new Test(SigningTestUtility.GetResourceBytes("SignatureFileWithUppercaseFileName.zip")))
{
var exception = Assert.Throws <SignatureException>(
() => SignedPackageArchiveUtility.OpenPackageSignatureFileStream(test.Reader));
Assert.Equal("The package does not contain a valid package signature file.", exception.Message);
Assert.Equal(NuGetLogCode.NU3005, exception.Code);
}
}
public void GetCertificateChain_WithAuthorSignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SigningTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("7d14ef1eaa95c41e3cb6c25bb177ce4f9bd7020c", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("0a08d814f1c1c4058bf709c4796a53a47df00e61", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a1b6d9c348850849be54e3e8ac2ae9938e59e4b3", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetTimestampCertificateChain_WithAuthorSignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SigningTestUtility.GetResourceBytes(".signature.p7s"));
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("5f970d4b17786b091a77eabdd0cf92ff8d1fdb43", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c5e93f93089bd49dc1d8e2b657093b9e29132dcf", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("a0e355c9f370a3069823afa3ce22b14a91475e77", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void GetTimestampCertificateChain_WithoutTimestamp_Throws()
{
var primarySignature = PrimarySignature.Load(SigningTestUtility.GetResourceBytes(".signature.p7s"));
primarySignature = RemoveTimestamp(primarySignature);
var exception = Assert.Throws <SignatureException>(
() => SignatureUtility.GetTimestampCertificateChain(primarySignature));
Assert.Equal(NuGetLogCode.NU3000, exception.Code);
Assert.Equal("The primary signature does not have a timestamp.", exception.Message);
}
public void GetTimestampCertificateChain_WithRepositoryCountersignatureTimestamp_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SigningTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetTimestampCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("96b479acf63394f3bcc9928c396264afd60909ed", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("fa4e4ca3d9a26b92a73bb875f964972983b55ccd", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("88b288ff6d3d826469a9ef7816166a7def221885", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void IsSigned_WithCentralDirectoryHeaderUsingUtf8_ReturnsFalse()
{
var zipBytes = SigningTestUtility.GetResourceBytes("SignatureFileEntry.zip");
zipBytes[35] = 0x08;
using (var test = new Test(zipBytes))
{
var isSigned = SignedPackageArchiveUtility.IsSigned(test.Reader);
Assert.False(isSigned);
}
}
public void GetCertificateChain_WithUnrelatedRepositoryCountersignature_Throws()
{
var primarySignature = PrimarySignature.Load(SigningTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
primarySignature = RemoveRepositoryCountersignature(primarySignature);
var exception = Assert.Throws <ArgumentException>(
() => SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature));
Assert.Equal("repositoryCountersignature", exception.ParamName);
Assert.StartsWith("The primary signature and repository countersignature are unrelated.", exception.Message);
}
public void GetCertificateChain_WithRepositoryCountersignature_ReturnsCertificates()
{
var primarySignature = PrimarySignature.Load(SigningTestUtility.GetResourceBytes(".signature.p7s"));
var repositoryCountersignature = RepositoryCountersignature.GetRepositoryCountersignature(primarySignature);
using (var certificates = SignatureUtility.GetCertificateChain(primarySignature, repositoryCountersignature))
{
Assert.Equal(3, certificates.Count);
Assert.Equal("8d8cc5bdf9e5f86b971d7fb961fe24b999486483", certificates[0].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("c8ae47bfd632870a15e3775784affd2bdc96cbf1", certificates[1].Thumbprint, StringComparer.OrdinalIgnoreCase);
Assert.Equal("d4e8185475a062de3518d1aa693f13c4283f81ff", certificates[2].Thumbprint, StringComparer.OrdinalIgnoreCase);
}
}
public void IsSigned_WithIncorrectSignatureFileNameInCentralDirectoryHeader_ReturnsFalse()
{
var zipBytes = SigningTestUtility.GetResourceBytes("SignatureFileEntry.zip");
var fileName = Encoding.ASCII.GetBytes(SigningSpecifications.V1.SignaturePath.ToUpper());
Array.Copy(fileName, sourceIndex: 0, destinationArray: zipBytes, destinationIndex: 0x5a, length: fileName.Length);
using (var test = new Test(zipBytes))
{
var isSigned = SignedPackageArchiveUtility.IsSigned(test.Reader);
Assert.False(isSigned);
}
}
public async Task SignAsync_WhenPackageIsZip64_ThrowsAsync()
{
using (var test = SignTest.Create(
_fixture.GetDefaultCertificate(),
HashAlgorithmName.SHA256,
SigningTestUtility.GetResourceBytes("CentralDirectoryHeaderWithZip64ExtraField.zip")))
{
var exception = await Assert.ThrowsAsync <SignatureException>(
() => SigningUtility.SignAsync(test.Options, test.Request, CancellationToken.None));
Assert.Equal(NuGetLogCode.NU3006, exception.Code);
Assert.Equal("Signed Zip64 packages are not supported.", exception.Message);
}
}
public void OpenPackageSignatureFileStream_WithFakeContent_ReturnsContent()
{
using (var test = new Test(SigningTestUtility.GetResourceBytes("SignatureFileWithFakeContent.zip")))
using (var stream = SignedPackageArchiveUtility.OpenPackageSignatureFileStream(test.Reader))
{
Assert.False(stream.CanWrite);
using (var reader = new BinaryReader(stream))
{
var expectedBytes = Encoding.ASCII.GetBytes("content");
var actualBytes = reader.ReadBytes((int)reader.BaseStream.Length);
Assert.Equal(expectedBytes, actualBytes);
}
}
}
public void ReadSignedArchiveMetadata_WithSignedPackage_ReturnsMetadata()
{
using (var stream = new MemoryStream(SigningTestUtility.GetResourceBytes("SignedPackage.1.0.0.nupkg")))
using (var reader = new BinaryReader(stream))
{
var metadata = SignedPackageArchiveIOUtility.ReadSignedArchiveMetadata(reader);
Assert.Equal(0, metadata.StartOfLocalFileHeaders);
Assert.Equal(6, metadata.CentralDirectoryHeaders.Count);
Assert.Equal(0xd7c, metadata.EndOfCentralDirectory);
Assert.Equal(5, metadata.SignatureCentralDirectoryHeaderIndex);
var expectedHeaders = new[]
{
new { ChangeInOffset = 0L, FileEntryTotalSize = 0x136, HeaderSize = 0x39, IndexInHeaders = 0,
IsPackageSignatureFile = false, OffsetToFileHeader = 0, Position = 0xbcc },
new { ChangeInOffset = 0L, FileEntryTotalSize = 0x110, HeaderSize = 0x42, IndexInHeaders = 1,
IsPackageSignatureFile = false, OffsetToFileHeader = 0x136, Position = 0xc05 },
new { ChangeInOffset = 0L, FileEntryTotalSize = 0x29, HeaderSize = 0x39, IndexInHeaders = 2,
IsPackageSignatureFile = false, OffsetToFileHeader = 0x246, Position = 0xc47 },
new { ChangeInOffset = 0L, FileEntryTotalSize = 0xff, HeaderSize = 0x41, IndexInHeaders = 3,
IsPackageSignatureFile = false, OffsetToFileHeader = 0x26f, Position = 0xc80 },
new { ChangeInOffset = 0L, FileEntryTotalSize = 0x1dd, HeaderSize = 0x7f, IndexInHeaders = 4,
IsPackageSignatureFile = false, OffsetToFileHeader = 0x36e, Position = 0xcc1 },
new { ChangeInOffset = 0L, FileEntryTotalSize = 0x681, HeaderSize = 0x3c, IndexInHeaders = 5,
IsPackageSignatureFile = true, OffsetToFileHeader = 0x54b, Position = 0xd40 },
};
Assert.Equal(expectedHeaders.Length, metadata.CentralDirectoryHeaders.Count);
for (var i = 0; i < expectedHeaders.Length; ++i)
{
var expectedHeader = expectedHeaders[i];
var actualHeader = metadata.CentralDirectoryHeaders[i];
Assert.Equal(expectedHeader.Position, actualHeader.Position);
Assert.Equal(expectedHeader.OffsetToFileHeader, actualHeader.OffsetToLocalFileHeader);
Assert.Equal(expectedHeader.FileEntryTotalSize, actualHeader.FileEntryTotalSize);
Assert.Equal(expectedHeader.IsPackageSignatureFile, actualHeader.IsPackageSignatureFile);
Assert.Equal(expectedHeader.HeaderSize, actualHeader.HeaderSize);
Assert.Equal(expectedHeader.ChangeInOffset, actualHeader.ChangeInOffset);
Assert.Equal(expectedHeader.IndexInHeaders, actualHeader.IndexInHeaders);
}
}
}
public void Verify_SignedPackageWithAllowedCertificate_Succeeds()
{
// Arrange
using (var testDirectory = TestDirectory.Create())
{
var packageFile = new FileInfo(Path.Combine(testDirectory, "TestPackage.AuthorSigned.1.0.0.nupkg"));
var package = SigningTestUtility.GetResourceBytes(packageFile.Name);
File.WriteAllBytes(packageFile.FullName, package);
//Act
var result = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {packageFile.FullName} " +
$"--certificate-fingerprint 3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE --certificate-fingerprint def",
ignoreExitCode: true);
result.Success.Should().BeTrue(because: result.AllOutput);
}
}
public void Verify_SignedPackageWithoutAllowedCertificate_Fails()
{
// Arrange
using (var testDirectory = TestDirectory.Create())
{
var packageFile = new FileInfo(Path.Combine(testDirectory, "TestPackage.AuthorSigned.1.0.0.nupkg"));
var package = SigningTestUtility.GetResourceBytes(packageFile.Name);
File.WriteAllBytes(packageFile.FullName, package);
//Act
var result = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {packageFile.FullName} " +
$"--certificate-fingerprint 775AAB607AA76028A7CC7A873A9513FF0C3B40DF09B7B83D21689A3675B34D9A --certificate-fingerprint DEF",
ignoreExitCode: true);
result.Success.Should().BeFalse(because: result.AllOutput);
result.AllOutput.Should().Contain(_noMatchingCertErrorCode);
}
}
public void Verify_AuthorSignedAndTimestampedPackageWithOptionAll_Succeeds()
{
// Arrange
using (var testDirectory = TestDirectory.Create())
{
var packageFile = new FileInfo(Path.Combine(testDirectory, "TestPackage.AuthorSigned.1.0.0.nupkg"));
var package = SigningTestUtility.GetResourceBytes(packageFile.Name);
File.WriteAllBytes(packageFile.FullName, package);
//Act
var result = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {packageFile.FullName} --all",
ignoreExitCode: true);
result.Success.Should().BeTrue(because: result.AllOutput);
result.Output.Should().NotContain(_noTimestamperWarningCode);
result.Output.Should().NotContain(_primarySignatureInvalidErrorCode);
}
}