public async Task DotnetSign_SignPackageWithPfxFileWithoutPasswordAndWithNonInteractive_FailsAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; string pfxPath = Path.Combine(pathContext.WorkingDirectory, Guid.NewGuid().ToString()); string password = Guid.NewGuid().ToString(); byte[] pfxBytes = storeCertificate.Certificate.Export(X509ContentType.Pfx, password); File.WriteAllBytes(pfxPath, pfxBytes); // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} --certificate-path {pfxPath}", ignoreExitCode: true); // Assert result.Success.Should().BeFalse(because: result.AllOutput); result.AllOutput.Should().Contain(string.Format(_invalidPasswordError, pfxPath)); } }
public async Task DotnetSign_SignPackageWithPfxFileOfRelativePath_SuccessAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; string pfxName = Guid.NewGuid().ToString() + ".pfx"; string pfxPath = Path.Combine(pathContext.PackageSource, pfxName); string password = Guid.NewGuid().ToString(); byte[] pfxBytes = storeCertificate.Certificate.Export(X509ContentType.Pfx, password); File.WriteAllBytes(pfxPath, pfxBytes); // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} " + $"--certificate-path .{Path.DirectorySeparatorChar}{pfxName} " + $"--certificate-password {password}", ignoreExitCode: true); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task DotnetSign_ResignPackageWithOverwrite_SuccessAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; string args = GetDefaultArgs(packageFilePath, storeCertificate); // Act CommandRunnerResult firstResult = _msbuildFixture.RunDotnet( pathContext.PackageSource, args, ignoreExitCode: true); CommandRunnerResult secondResult = _msbuildFixture.RunDotnet( pathContext.PackageSource, args + " --overwrite", ignoreExitCode: true); // Assert firstResult.Success.Should().BeTrue(because: firstResult.AllOutput); firstResult.AllOutput.Should().Contain(_noTimestamperWarningCode); secondResult.Success.Should().BeTrue(); secondResult.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task DotnetSign_SignPackageWithOutputDirectory_SucceedsAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); string outputDir = Path.Combine(pathContext.WorkingDirectory, "Output"); IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; Directory.CreateDirectory(outputDir); // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, GetDefaultArgs(packageFilePath, storeCertificate) + $" --output {outputDir}", ignoreExitCode: true); string signedPackagePath = Path.Combine(outputDir, "PackageA.1.0.0.nupkg"); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); File.Exists(signedPackagePath).Should().BeTrue(); } }
public async Task DotnetSign_SignPackageWithUntrustedSelfIssuedCertificateInCertificateStore_SuccessAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore; // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} " + $"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint}", ignoreExitCode: true); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); result.AllOutput.Should().Contain(_chainBuildFailureErrorCode); } }
public async Task DotnetSign_SignPackageWithTrustedCertificateWithRelativePath_SucceedsAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); var packageFileName = "PackageA.1.0.0.nupkg"; IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign .{Path.DirectorySeparatorChar}{packageFileName} " + $"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint} " + $"--certificate-store-name {storeCertificate.StoreName} " + $"--certificate-store-location {storeCertificate.StoreLocation}", ignoreExitCode: true); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task DotnetSign_SignPackageWithTimestamping_SucceedsAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); TimestampService timestampService = await _signFixture.GetDefaultTrustedTimestampServiceAsync(); IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, GetDefaultArgs(packageFilePath, storeCertificate) + $" --timestamper {timestampService.Url.OriginalString}", ignoreExitCode: true); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().NotContain(_noTimestamperWarningCode); } }
public async Task DotnetSign_SignPackageWithUnknownRevocationCertChain_SucceedsAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); IX509StoreCertificate storeCertificate = _signFixture.RevocationUnknownCertificate; // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, GetDefaultArgs(packageFilePath, storeCertificate), ignoreExitCode: true); // Assert result.Success.Should().BeTrue(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); result.AllOutput.Should().Contain(_chainBuildFailureErrorCode); result.AllOutput.Should().Contain(X509ChainStatusFlags.RevocationStatusUnknown.ToString()); } }
private static string GetDefaultArgs(string packageFilePath, IX509StoreCertificate storeCertificate) { return($"nuget sign {packageFilePath} " + $"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint} " + $"--certificate-store-name {storeCertificate.StoreName} " + $"--certificate-store-location {storeCertificate.StoreLocation}"); }
public async Task Verify_RepositorySignedPackage_WithAuthorItemUntrustedCertificate_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint) { IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore; // Arrange using (var pathContext = new SimpleTestPathContext()) { var nupkg = new SimpleTestPackageContext("A", "1.0.0"); string testDirectory = pathContext.WorkingDirectory; await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg); string packagePath = Path.Combine(testDirectory, nupkg.PackageName); //Act string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256); string repoServiceIndex = "https://serviceindex.test/v3/index.json"; string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex)); // Arrange string trustedSignersSectionContent = $@" <trustedSigners> <author name=""MyCert""> <certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" /> </author> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration"); string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty; //Act CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet( testDirectory, $"nuget verify {signedPackagePath} {fingerprint}", ignoreExitCode: true); // Assert verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput); verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode); verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode); verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer."); if (bool.TryParse(allowUntrustedRoot, out bool parsed) && !parsed) { verifyResult.AllOutput.Should().Contain(_primarySignatureInvalidErrorCode); } else { verifyResult.AllOutput.Should().NotContain(_primarySignatureInvalidErrorCode); } } }
public async Task Verify_RepositorySignedPackage_WithRepositoryItemTrustedCertificate_AllowUntrustedRootSet_CorrectOwners_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint) { // Arrange IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; using (var pathContext = new SimpleTestPathContext()) { var package = new SimpleTestPackageContext(); string certFingerprint = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256); var packageOwners = new List <string>() { "nuget", "contoso" }; string repoServiceIndex = "https://serviceindex.test/v3/index.json"; string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync( storeCertificate.Certificate, package, pathContext.PackageSource, new Uri(repoServiceIndex), timestampService : null, packageOwners); string testDirectory = pathContext.WorkingDirectory; string trustedSignersSectionContent = $@" <trustedSigners> <repository name=""NuGetTrust"" serviceIndex=""{repoServiceIndex}""> <certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" /> <owners>nuget;Contoso</owners> </repository> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration"); string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certFingerprint} --certificate-fingerprint DEF" : string.Empty; //Act CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet( testDirectory, $"nuget verify {signedPackagePath} {fingerprint}", ignoreExitCode: true); // Assert // For certificate with trusted root setting allowUntrustedRoot value true/false doesn't matter. // Owners is casesensitive, here owner "nuget" matches verifyResult.Success.Should().BeTrue(); verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task Verify_RepositorySignedPackage_WithRepositoryItemUntrustedCertificate_AllowUntrustedRootSetTrue_WrongOwners_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint) { IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore; // Arrange using (var pathContext = new SimpleTestPathContext()) { var nupkg = new SimpleTestPackageContext("A", "1.0.0"); await SimpleTestPackageUtility.CreatePackagesAsync(pathContext.WorkingDirectory, nupkg); string packagePath = Path.Combine(pathContext.WorkingDirectory, nupkg.PackageName); //Act var certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256); var packageOwners = new List <string>() { "nuget", "contoso" }; string repoServiceIndex = "https://serviceindex.test/v3/index.json"; string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners); // Arrange string trustedSignersSectionContent = $@" <trustedSigners> <repository name=""MyCert"" serviceIndex = ""{repoServiceIndex}""> <certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" /> <owners>Nuget;Contoso</owners> </repository> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration"); string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint DEF" : string.Empty; //Act CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet( pathContext.WorkingDirectory, $"nuget verify {signedPackagePath} {fingerprint}", ignoreExitCode: true); // Assert // Owners is casesensitive, owner info should be "nuget;contoso" not "Nuget;Contoso" verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput); verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode); verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer."); } }
public async Task VerifyCommand_AuthorSignedPackage_WithUntrustedCertificate_AllowUntrustedRootIsSetTrue_WrongNugetConfig_Fails() { IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore; // Arrange using (var pathContext = new SimpleTestPathContext()) { var nupkg = new SimpleTestPackageContext("A", "1.0.0"); //Act string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(storeCertificate.Certificate, nupkg, pathContext.WorkingDirectory); string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256); // Arrange string nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, NuGet.Configuration.Settings.DefaultSettingsFileName); string nugetConfigPath2 = Path.Combine(pathContext.WorkingDirectory, "nuget2.config"); // nuget2.config doesn't have change for trustedSigners File.Copy(nugetConfigPath, nugetConfigPath2); string trustedSignersSectionContent = $@" <trustedSigners> <author name=""MyCert""> <certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""true"" /> </author> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration"); //Act // pass custom nuget2.config file, but doesn't have trustedSigners section CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet( pathContext.WorkingDirectory, $"nuget verify {signedPackagePath} --all --certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def --configfile {nugetConfigPath2}", ignoreExitCode: true); // Assert // allowUntrustedRoot is not set true in nuget2.config, but in nuget.config, so verify fails. verifyResult.Success.Should().BeFalse(); verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode); verifyResult.AllOutput.Should().Contain(_primarySignatureInvalidErrorCode); } }
public async Task DotnetSign_SignPackageWithUnsuportedTimestampHashAlgorithm_FailsAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); byte[] originalFile = File.ReadAllBytes(packageFilePath); ISigningTestServer testServer = await _signFixture.GetSigningTestServerAsync(); CertificateAuthority certificateAuthority = await _signFixture.GetDefaultTrustedCertificateAuthorityAsync(); var options = new TimestampServiceOptions() { SignatureHashAlgorithm = new Oid(Oids.Sha1) }; TimestampService timestampService = TimestampService.Create(certificateAuthority, options); IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore; using (testServer.RegisterResponder(timestampService)) { // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, $"nuget sign {packageFilePath} " + $"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint} " + $"--timestamper {timestampService.Url}", ignoreExitCode: true); // Assert result.Success.Should().BeFalse(because: result.AllOutput); result.AllOutput.Should().Contain(_timestampUnsupportedDigestAlgorithmCode); Assert.Contains("The timestamp signature has an unsupported digest algorithm (SHA1). The following algorithms are supported: SHA256, SHA384, SHA512.", result.AllOutput); byte[] resultingFile = File.ReadAllBytes(packageFilePath); Assert.Equal(resultingFile, originalFile); } } }
public async Task Verify_RepositorySignedPackage_WithRepositoryItemUntrustedCertificate_AllowUntrustedRootSetTrue_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint) { IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore; // Arrange using (var pathContext = new SimpleTestPathContext()) { var nupkg = new SimpleTestPackageContext("A", "1.0.0"); string testDirectory = pathContext.WorkingDirectory; await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg); string packagePath = Path.Combine(testDirectory, nupkg.PackageName); //Act string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256); string repoServiceIndex = "https://serviceindex.test/v3/index.json"; string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex)); // Arrange string trustedSignersSectionContent = $@" <trustedSigners> <repository name=""MyCert"" serviceIndex = ""{repoServiceIndex}""> <certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" /> </repository> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration"); string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty; //Act CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet( testDirectory, $"nuget verify {signedPackagePath} {fingerprint}", ignoreExitCode: true); // Assert // If allowUntrustedRoot is set true in nuget.config then verify succeeds for cert with untrusted root. verifyResult.Success.Should().BeTrue(); verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task Verify_AuthorSignedPackage_WithRepositoryItemTrustedCertificate_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint) { // Arrange IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; using (var pathContext = new SimpleTestPathContext()) { var nupkg = new SimpleTestPackageContext("A", "1.0.0"); string testDirectory = pathContext.WorkingDirectory; await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg); // Act string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256); string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(storeCertificate.Certificate, nupkg, testDirectory); // Arrange string trustedSignersSectionContent = $@" <trustedSigners> <repository name=""MyCert"" serviceIndex=""{pathContext.PackageSource}""> <certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" /> </repository> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration"); string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty; // Act CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet( testDirectory, $"nuget verify {signedPackagePath} {fingerprint}", ignoreExitCode: true); // Assert verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput); verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode); verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode); verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer."); } }
public async Task Verify_AuthorSignedPackage_WithAuthorItemTrustedCertificate_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint) { // Arrange IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate; using (var pathContext = new SimpleTestPathContext()) { var nupkg = new SimpleTestPackageContext("A", "1.0.0"); string testDirectory = pathContext.WorkingDirectory; await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg); // Act string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256); string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(storeCertificate.Certificate, nupkg, testDirectory); // Arrange string trustedSignersSectionContent = $@" <trustedSigners> <author name=""signed""> <certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" /> </author> </trustedSigners> "; SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration"); string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty; // Act CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet( pathContext.WorkingDirectory, $"nuget verify {signedPackagePath} {fingerprint}", ignoreExitCode: true); // Assert // For certificate with trusted root setting allowUntrustedRoot to true/false doesn't matter verifyResult.Success.Should().BeTrue(because: verifyResult.AllOutput); verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode); } }
public async Task DotnetSign_SignPackageWithInvalidEku_FailsAsync() { // Arrange using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext()) { await SimpleTestPackageUtility.CreatePackagesAsync( pathContext.PackageSource, new SimpleTestPackageContext("PackageA", "1.0.0")); string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg"); IX509StoreCertificate storeCertificate = _signFixture.CertificateWithInvalidEku; // Act CommandRunnerResult result = _msbuildFixture.RunDotnet( pathContext.PackageSource, GetDefaultArgs(packageFilePath, storeCertificate), ignoreExitCode: true); // Assert result.Success.Should().BeFalse(because: result.AllOutput); result.AllOutput.Should().Contain(_noTimestamperWarningCode); result.AllOutput.Should().Contain(_noCertFoundError); } }