public async Task DotnetSign_SignPackageWithPfxFileWithoutPasswordAndWithNonInteractive_FailsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
string pfxPath = Path.Combine(pathContext.WorkingDirectory, Guid.NewGuid().ToString());
string password = Guid.NewGuid().ToString();
byte[] pfxBytes = storeCertificate.Certificate.Export(X509ContentType.Pfx, password);
File.WriteAllBytes(pfxPath, pfxBytes);
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} --certificate-path {pfxPath}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeFalse(because: result.AllOutput);
result.AllOutput.Should().Contain(string.Format(_invalidPasswordError, pfxPath));
}
}
public async Task DotnetSign_SignPackageWithPfxFileOfRelativePath_SuccessAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
string pfxName = Guid.NewGuid().ToString() + ".pfx";
string pfxPath = Path.Combine(pathContext.PackageSource, pfxName);
string password = Guid.NewGuid().ToString();
byte[] pfxBytes = storeCertificate.Certificate.Export(X509ContentType.Pfx, password);
File.WriteAllBytes(pfxPath, pfxBytes);
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} " +
$"--certificate-path .{Path.DirectorySeparatorChar}{pfxName} " +
$"--certificate-password {password}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task DotnetSign_ResignPackageWithOverwrite_SuccessAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
string args = GetDefaultArgs(packageFilePath, storeCertificate);
// Act
CommandRunnerResult firstResult = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
args,
ignoreExitCode: true);
CommandRunnerResult secondResult = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
args + " --overwrite",
ignoreExitCode: true);
// Assert
firstResult.Success.Should().BeTrue(because: firstResult.AllOutput);
firstResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
secondResult.Success.Should().BeTrue();
secondResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task DotnetSign_SignPackageWithOutputDirectory_SucceedsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
string outputDir = Path.Combine(pathContext.WorkingDirectory, "Output");
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
Directory.CreateDirectory(outputDir);
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
GetDefaultArgs(packageFilePath, storeCertificate) +
$" --output {outputDir}",
ignoreExitCode: true);
string signedPackagePath = Path.Combine(outputDir, "PackageA.1.0.0.nupkg");
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
File.Exists(signedPackagePath).Should().BeTrue();
}
}
public async Task DotnetSign_SignPackageWithUntrustedSelfIssuedCertificateInCertificateStore_SuccessAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} " +
$"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result.AllOutput.Should().Contain(_chainBuildFailureErrorCode);
}
}
public async Task DotnetSign_SignPackageWithTrustedCertificateWithRelativePath_SucceedsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
var packageFileName = "PackageA.1.0.0.nupkg";
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign .{Path.DirectorySeparatorChar}{packageFileName} " +
$"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint} " +
$"--certificate-store-name {storeCertificate.StoreName} " +
$"--certificate-store-location {storeCertificate.StoreLocation}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task DotnetSign_SignPackageWithTimestamping_SucceedsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
TimestampService timestampService = await _signFixture.GetDefaultTrustedTimestampServiceAsync();
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
GetDefaultArgs(packageFilePath, storeCertificate) +
$" --timestamper {timestampService.Url.OriginalString}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().NotContain(_noTimestamperWarningCode);
}
}
public async Task DotnetSign_SignPackageWithUnknownRevocationCertChain_SucceedsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
IX509StoreCertificate storeCertificate = _signFixture.RevocationUnknownCertificate;
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
GetDefaultArgs(packageFilePath, storeCertificate),
ignoreExitCode: true);
// Assert
result.Success.Should().BeTrue(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result.AllOutput.Should().Contain(_chainBuildFailureErrorCode);
result.AllOutput.Should().Contain(X509ChainStatusFlags.RevocationStatusUnknown.ToString());
}
}
private static string GetDefaultArgs(string packageFilePath, IX509StoreCertificate storeCertificate)
{
return($"nuget sign {packageFilePath} " +
$"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint} " +
$"--certificate-store-name {storeCertificate.StoreName} " +
$"--certificate-store-location {storeCertificate.StoreLocation}");
}
public async Task Verify_RepositorySignedPackage_WithAuthorItemUntrustedCertificate_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Arrange
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
string packagePath = Path.Combine(testDirectory, nupkg.PackageName);
//Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex));
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<author name=""MyCert"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</author>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode);
verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer.");
if (bool.TryParse(allowUntrustedRoot, out bool parsed) && !parsed)
{
verifyResult.AllOutput.Should().Contain(_primarySignatureInvalidErrorCode);
}
else
{
verifyResult.AllOutput.Should().NotContain(_primarySignatureInvalidErrorCode);
}
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemTrustedCertificate_AllowUntrustedRootSet_CorrectOwners_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
using (var pathContext = new SimpleTestPathContext())
{
var package = new SimpleTestPackageContext();
string certFingerprint = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
var packageOwners = new List <string>()
{
"nuget",
"contoso"
};
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(
storeCertificate.Certificate,
package,
pathContext.PackageSource,
new Uri(repoServiceIndex),
timestampService : null,
packageOwners);
string testDirectory = pathContext.WorkingDirectory;
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""NuGetTrust"" serviceIndex=""{repoServiceIndex}"">
<certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
<owners>nuget;Contoso</owners>
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certFingerprint} --certificate-fingerprint DEF" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
// For certificate with trusted root setting allowUntrustedRoot value true/false doesn't matter.
// Owners is casesensitive, here owner "nuget" matches
verifyResult.Success.Should().BeTrue();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemUntrustedCertificate_AllowUntrustedRootSetTrue_WrongOwners_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Arrange
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
await SimpleTestPackageUtility.CreatePackagesAsync(pathContext.WorkingDirectory, nupkg);
string packagePath = Path.Combine(pathContext.WorkingDirectory, nupkg.PackageName);
//Act
var certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
var packageOwners = new List <string>()
{
"nuget",
"contoso"
};
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex), null, packageOwners);
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""MyCert"" serviceIndex = ""{repoServiceIndex}"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
<owners>Nuget;Contoso</owners>
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint DEF" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
pathContext.WorkingDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
// Owners is casesensitive, owner info should be "nuget;contoso" not "Nuget;Contoso"
verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode);
verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer.");
}
}
public async Task VerifyCommand_AuthorSignedPackage_WithUntrustedCertificate_AllowUntrustedRootIsSetTrue_WrongNugetConfig_Fails()
{
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Arrange
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
//Act
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(storeCertificate.Certificate, nupkg, pathContext.WorkingDirectory);
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
// Arrange
string nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, NuGet.Configuration.Settings.DefaultSettingsFileName);
string nugetConfigPath2 = Path.Combine(pathContext.WorkingDirectory, "nuget2.config");
// nuget2.config doesn't have change for trustedSigners
File.Copy(nugetConfigPath, nugetConfigPath2);
string trustedSignersSectionContent = $@"
<trustedSigners>
<author name=""MyCert"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""true"" />
</author>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
//Act
// pass custom nuget2.config file, but doesn't have trustedSigners section
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
pathContext.WorkingDirectory,
$"nuget verify {signedPackagePath} --all --certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def --configfile {nugetConfigPath2}",
ignoreExitCode: true);
// Assert
// allowUntrustedRoot is not set true in nuget2.config, but in nuget.config, so verify fails.
verifyResult.Success.Should().BeFalse();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
verifyResult.AllOutput.Should().Contain(_primarySignatureInvalidErrorCode);
}
}
public async Task DotnetSign_SignPackageWithUnsuportedTimestampHashAlgorithm_FailsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
byte[] originalFile = File.ReadAllBytes(packageFilePath);
ISigningTestServer testServer = await _signFixture.GetSigningTestServerAsync();
CertificateAuthority certificateAuthority = await _signFixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SignatureHashAlgorithm = new Oid(Oids.Sha1)
};
TimestampService timestampService = TimestampService.Create(certificateAuthority, options);
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
using (testServer.RegisterResponder(timestampService))
{
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
$"nuget sign {packageFilePath} " +
$"--certificate-fingerprint {storeCertificate.Certificate.Thumbprint} " +
$"--timestamper {timestampService.Url}",
ignoreExitCode: true);
// Assert
result.Success.Should().BeFalse(because: result.AllOutput);
result.AllOutput.Should().Contain(_timestampUnsupportedDigestAlgorithmCode);
Assert.Contains("The timestamp signature has an unsupported digest algorithm (SHA1). The following algorithms are supported: SHA256, SHA384, SHA512.", result.AllOutput);
byte[] resultingFile = File.ReadAllBytes(packageFilePath);
Assert.Equal(resultingFile, originalFile);
}
}
}
public async Task Verify_RepositorySignedPackage_WithRepositoryItemUntrustedCertificate_AllowUntrustedRootSetTrue_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
IX509StoreCertificate storeCertificate = _signFixture.UntrustedSelfIssuedCertificateInCertificateStore;
// Arrange
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
string packagePath = Path.Combine(testDirectory, nupkg.PackageName);
//Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
string repoServiceIndex = "https://serviceindex.test/v3/index.json";
string signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(storeCertificate.Certificate, packagePath, pathContext.PackageSource, new Uri(repoServiceIndex));
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""MyCert"" serviceIndex = ""{repoServiceIndex}"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty;
//Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
// If allowUntrustedRoot is set true in nuget.config then verify succeeds for cert with untrusted root.
verifyResult.Success.Should().BeTrue();
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task Verify_AuthorSignedPackage_WithRepositoryItemTrustedCertificate_Fails(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
// Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(storeCertificate.Certificate, nupkg, testDirectory);
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<repository name=""MyCert"" serviceIndex=""{pathContext.PackageSource}"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</repository>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(pathContext.WorkingDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty;
// Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
testDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
verifyResult.Success.Should().BeFalse(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noMatchingCertErrorCode);
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
verifyResult.AllOutput.Should().Contain("This package is signed but not by a trusted signer.");
}
}
public async Task Verify_AuthorSignedPackage_WithAuthorItemTrustedCertificate_Succeeds(string allowUntrustedRoot, bool verifyCertificateFingerprint)
{
// Arrange
IX509StoreCertificate storeCertificate = _signFixture.DefaultCertificate;
using (var pathContext = new SimpleTestPathContext())
{
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
string testDirectory = pathContext.WorkingDirectory;
await SimpleTestPackageUtility.CreatePackagesAsync(testDirectory, nupkg);
// Act
string certificateFingerprintString = SignatureTestUtility.GetFingerprint(storeCertificate.Certificate, HashAlgorithmName.SHA256);
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(storeCertificate.Certificate, nupkg, testDirectory);
// Arrange
string trustedSignersSectionContent = $@"
<trustedSigners>
<author name=""signed"">
<certificate fingerprint=""{certificateFingerprintString}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot}"" />
</author>
</trustedSigners>
";
SimpleTestSettingsContext.AddSectionIntoNuGetConfig(testDirectory, trustedSignersSectionContent, "configuration");
string fingerprint = verifyCertificateFingerprint ? $"--certificate-fingerprint {certificateFingerprintString} --certificate-fingerprint def" : string.Empty;
// Act
CommandRunnerResult verifyResult = _msbuildFixture.RunDotnet(
pathContext.WorkingDirectory,
$"nuget verify {signedPackagePath} {fingerprint}",
ignoreExitCode: true);
// Assert
// For certificate with trusted root setting allowUntrustedRoot to true/false doesn't matter
verifyResult.Success.Should().BeTrue(because: verifyResult.AllOutput);
verifyResult.AllOutput.Should().Contain(_noTimestamperWarningCode);
}
}
public async Task DotnetSign_SignPackageWithInvalidEku_FailsAsync()
{
// Arrange
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
await SimpleTestPackageUtility.CreatePackagesAsync(
pathContext.PackageSource,
new SimpleTestPackageContext("PackageA", "1.0.0"));
string packageFilePath = Path.Combine(pathContext.PackageSource, "PackageA.1.0.0.nupkg");
IX509StoreCertificate storeCertificate = _signFixture.CertificateWithInvalidEku;
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.PackageSource,
GetDefaultArgs(packageFilePath, storeCertificate),
ignoreExitCode: true);
// Assert
result.Success.Should().BeFalse(because: result.AllOutput);
result.AllOutput.Should().Contain(_noTimestamperWarningCode);
result.AllOutput.Should().Contain(_noCertFoundError);
}
}
