public async Task Verify_RepositorySignedPackage_WithAuthorItemUntrustedCertificate_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Arrange
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
string packagePath = Path.Combine(testDirectory, nupkg.PackageName);
//Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex));
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<author name=""MyCert"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</author>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode);
verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer.");
if (bool.TryParse(allowUntrustedRoot, out bool parsed) && !parsed)
{
verifyResult.AllOutput.Should().Contain(_primarySignatureInvalidErrorCode);
}
else
{
verifyResult.AllOutput.Should().NotContain(_primarySignatureInvalidErrorCode);
}
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemTrustedCertificate_AllowUntrustedRootSet_CorrectOwners_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
using (var pathContext = new SimpleTestPathContext())
{
var package = new SimpleTestPackageContext();
string certFingerprint = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
var packageOwners = new List <string>()
{
"nuget",
"contoso"
};
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
storeCertificate.Certificate,
package,
pathContext.PackageSource,
new Uri(repoServiceIndex),
timestampService : null,
packageOwners);
string testDirectory = pathContext.WorkingDirectory;
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""NuGetTrust"" serviceIndex=""{repoServiceIndex}"">
<certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
<owners>nuget;Contoso</owners>
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certFingerprint} --certificate-fingerprint DEF" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
// For certificate with trusted root setting allowUntrustedRoot value true/false doesn't matter.
// Owners is casesensitive, here owner "nuget" matches
verifyResult.Success.Should().BeTrue();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemUntrustedCertificate_AllowUntrustedRootSetTrue_WrongOwners_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Arrange
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
await SimpleTestPackageUtility.CreatePackagesAsync(pathContext.WorkingDirectory, nupkg);
string packagePath = Path.Combine(pathContext.WorkingDirectory, nupkg.PackageName);
//Act
var certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
var packageOwners = new List <string>()
{
"nuget",
"contoso"
};
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners);
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""MyCert"" serviceIndex = ""{repoServiceIndex}"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
<owners>Nuget;Contoso</owners>
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint DEF" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
pathContext.WorkingDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
// Owners is casesensitive, owner info should be "nuget;contoso" not "Nuget;Contoso"
verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode);
verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer.");
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemUntrustedCertificate_AllowUntrustedRootSetTrue_CorrectOwners_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
using (var pathContext = new SimpleTestPathContext())
using (var testCertificate = new X509Certificate2(_testFixture.UntrustedSelfIssuedCertificateInCertificateStore))
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
await SimpleTestPackageUtility.CreatePackagesAsync(pathContext.WorkingDirectory, nupkg);
string packagePath = Path.Combine(pathContext.WorkingDirectory, nupkg.PackageName);
//Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(testCertificate, HashAlgorithmName.SHA256);
var packageOwners = new List <string>()
{
"nuget",
"contoso"
};
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(testCertificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners);
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""MyCert"" serviceIndex = ""{repoServiceIndex}"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
<owners>nuget;Contoso</owners>
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"-CertificateFingerprint {certificateFingerprintString};def" : string.Empty;
// Act
CommandRunnerResult verifyResult = CommandRunner.Run(
_nugetExePath,
pathContext.PackageSource,
$"verify {signedPackagePath} -Signatures {fingerprint}",
waitForExit: true);
// Assert
// Owners is casesensitive, here owner "nuget" matches
verifyResult.Success.Should().BeTrue();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemTrustedCertificate_AllowUntrustedRootSet_WrongOwners_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
TrustedTestCert <TestCertificate> cert = _testFixture.TrustedTestCertificateChain.Leaf;
using (var pathContext = new SimpleTestPathContext())
{
var package = new SimpleTestPackageContext();
string certFingerprint = SignatureTestUtility.GetFingerprint(cert.Source.Cert, HashAlgorithmName.SHA256);
var packageOwners = new List <string>()
{
"nuget",
"contoso"
};
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(cert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners);
string testDirectory = pathContext.WorkingDirectory;
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""NuGetTrust"" serviceIndex=""{repoServiceIndex}"">
<certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
<owners>Nuget;Contoso</owners>
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"-CertificateFingerprint {certFingerprint};def" : string.Empty;
//Act
CommandRunnerResult verifyResult = CommandRunner.Run(
_nugetExePath,
pathContext.PackageSource,
$"verify {signedPackagePath} -Signatures {fingerprint}",
waitForExit: true);
// Assert
// Owners is casesensitive, owner info should be "nuget;contoso" not "Nuget;Contoso"
verifyResult.Success.Should().BeFalse();
verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode);
}
}
public async Task VerifyCommand_AuthorSignedPackage_WithUntrustedCertificate_AllowUntrustedRootIsSetTrue_WrongNugetConfig_Fails()
{
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Arrange
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
//Act
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(storeCertificate.Certificate, nupkg, pathContext.WorkingDirectory);
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
// Arrange
string nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, NuGet.Configuration.Settings.DefaultSettingsFileName);
string nugetConfigPath2 = Path.Combine(pathContext.WorkingDirectory, "nuget2.config");
// nuget2.config doesn't have change for trustedSigners
File.Copy(nugetConfigPath, nugetConfigPath2);
string trustedSignersSectionContent = $@"
<trustedSigners>
<author name=""MyCert"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""true"" />
</author>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
//Act
// pass custom nuget2.config file, but doesn't have trustedSigners section
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
pathContext.WorkingDirectory,
$"nuget verify {signedPackagePath} --all --certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def --configfile {nugetConfigPath2}",
ignoreExitCode: true);
// Assert
// allowUntrustedRoot is not set true in nuget2.config, but in nuget.config, so verify fails.
verifyResult.Success.Should().BeFalse();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
verifyResult.AllOutput.Should().Contain(_primarySignatureInvalidErrorCode);
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemUntrustedCertificate_AllowUntrustedRootSetFalse_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
using (var pathContext = new SimpleTestPathContext())
using (var testCertificate = new X509Certificate2(_testFixture.UntrustedSelfIssuedCertificateInCertificateStore))
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
string packagePath = Path.Combine(testDirectory, nupkg.PackageName);
//Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(testCertificate, HashAlgorithmName.SHA256);
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(testCertificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex));
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""MyCert"" serviceIndex = ""{repoServiceIndex}"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"-CertificateFingerprint {certificateFingerprintString};def" : string.Empty;
// Act
CommandRunnerResult verifyResult = CommandRunner.Run(
_nugetExePath,
pathContext.PackageSource,
$"verify {signedPackagePath} -Signatures {fingerprint}",
waitForExit: true);
// Assert
// Unless allowUntrustedRoot is set true in nuget.config verify always fails for cert without trusted root.
verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
verifyResult.AllOutput.Should().Contain(_primarySignatureInvalidErrorCode);
verifyResult.AllOutput.Should().Contain("The repository primary signature's signing certificate is not trusted by the trust provider.");
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemUntrustedCertificate_AllowUntrustedRootSetTrue_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Arrange
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
string packagePath = Path.Combine(testDirectory, nupkg.PackageName);
//Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex));
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""MyCert"" serviceIndex = ""{repoServiceIndex}"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
// If allowUntrustedRoot is set true in nuget.config then verify succeeds for cert with untrusted root.
verifyResult.Success.Should().BeTrue();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task VerifyCommand_AuthorSignedPackage_WithUntrustedCertificate_AllowUntrustedRootIsSetTrue_CorrectNugetConfig_Succeed()
{
// Arrange
using (var pathContext = new SimpleTestPathContext())
using (var testCertificate = new X509Certificate2(_testFixture.UntrustedSelfIssuedCertificateInCertificateStore))
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
//Act
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, pathContext.WorkingDirectory);
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(testCertificate, HashAlgorithmName.SHA256);
// Arrange
string nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, NuGet.Configuration.Settings.DefaultSettingsFileName);
string nugetConfigPath2 = Path.Combine(pathContext.WorkingDirectory, "nuget2.config");
File.Copy(nugetConfigPath, nugetConfigPath2);
string trustedSignersSectionContent = $@"
<trustedSigners>
<author name=""MyCert"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""true"" />
</author>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(nugetConfigPath2, trustedSignersSectionContent, "configuration");
// Act
// pass custom nuget2.config file, it has trustedSigners section
CommandRunnerResult verifyResult = CommandRunner.Run(
_nugetExePath,
pathContext.PackageSource,
$"verify {signedPackagePath} -All -CertificateFingerprint {certificateFingerprintString};def -ConfigFile {nugetConfigPath2}",
waitForExit: true);
// Assert
// allowUntrustedRoot is set true in nuget2.config, so verify succeeds.
verifyResult.Success.Should().BeTrue();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task Verify_AuthorSignedPackage_WithRepositoryItemTrustedCertificate_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
TrustedTestCert <TestCertificate> cert = _testFixture.TrustedTestCertificateChain.Leaf;
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
//Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(cert.Source.Cert, HashAlgorithmName.SHA256);
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(cert.Source.Cert, nupkg, testDirectory);
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""MyCert"" serviceIndex=""{pathContext.PackageSource}"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"-CertificateFingerprint {certificateFingerprintString};def" : string.Empty;
// Act
CommandRunnerResult verifyResult = CommandRunner.Run(
_nugetExePath,
pathContext.PackageSource,
$"verify {signedPackagePath} -Signatures {fingerprint}",
waitForExit: true);
// Assert
verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode);
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer.");
}
}
public async Task Verify_AuthorSignedPackage_WithAuthorItemTrustedCertificate_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
TrustedTestCert <TestCertificate> cert = _testFixture.TrustedTestCertificateChain.Leaf;
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
//Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(cert.Source.Cert, HashAlgorithmName.SHA256);
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(cert.Source.Cert, nupkg, testDirectory);
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<author name=""signed"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</author>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"-CertificateFingerprint {certificateFingerprintString};def" : string.Empty;
// Act
CommandRunnerResult verifyResult = CommandRunner.Run(
_nugetExePath,
testDirectory,
$"verify {signedPackagePath} -Signatures {fingerprint}",
waitForExit: true);
// Assert
// For certificate with trusted root setting allowUntrustedRoot to true/false doesn't matter
verifyResult.Success.Should().BeTrue(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}