public async Task GetTrustResultAsync_VerifyWithCertificateInAllowList_Success()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedPackageAsync(testCertificate, nupkg, dir);
var certificateFingerprint = CertificateUtility.GetHash(testCertificate, HashAlgorithmName.SHA256);
var certificateFingerprintString = BitConverter.ToString(certificateFingerprint).Replace("-", "");
var allowListHashes = new[] { certificateFingerprintString, "abc" };
var allowList = allowListHashes.Select(hash => new CertificateHashAllowListEntry(VerificationTarget.Primary, hash)).ToList();
var trustProviders = new[]
{
new AllowListVerificationProvider(allowList)
};
var verifier = new PackageSignatureVerifier(trustProviders, SignedPackageVerifierSettings.Default);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
// Assert
result.Valid.Should().BeTrue();
}
}
}
public void VerifyCommand_VerifyOnPackageSignedWithAllowedCertificateSucceeds()
{
// Arrange
var cert = _testFixture.TrustedTestCertificateChain.Leaf;
using (var dir = TestDirectory.Create())
using (var zipStream = new SimpleTestPackageContext().CreateAsStream())
{
var packagePath = Path.Combine(dir, Guid.NewGuid().ToString());
zipStream.Seek(offset: 0, loc: SeekOrigin.Begin);
using (var fileStream = File.OpenWrite(packagePath))
{
zipStream.CopyTo(fileStream);
}
var signResult = CommandRunner.Run(
_nugetExePath,
dir,
$"sign {packagePath} -CertificateFingerprint {cert.Source.Cert.Thumbprint} -CertificateStoreName {cert.StoreName} -CertificateStoreLocation {cert.StoreLocation}",
waitForExit: true);
signResult.Success.Should().BeTrue();
var certificateFingerprint = CertificateUtility.GetHash(cert.Source.Cert, HashAlgorithmName.SHA256);
var certificateFingerprintString = BitConverter.ToString(certificateFingerprint).Replace("-", "");
// Act
var verifyResult = CommandRunner.Run(
_nugetExePath,
dir,
$"verify {packagePath} -Signatures -CertificateFingerprint {certificateFingerprintString};abc;def",
waitForExit: true);
// Assert
verifyResult.Success.Should().BeTrue();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
/// <summary>
/// Get the certificate fingerprint for a given hash algorithm
/// </summary>
/// <param name="cert">Certificate to calculate fingerprint</param>
/// <param name="hashAlgorithm">Hash algorithm to calculate fingerprint</param>
/// <returns></returns>
public static string GetFingerprint(X509Certificate2 cert, HashAlgorithmName hashAlgorithm)
{
var certificateFingerprint = CertificateUtility.GetHash(cert, hashAlgorithm);
return(BitConverter.ToString(certificateFingerprint).Replace("-", ""));
}