Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Author Signature verification for all packages #1882

Open
andrei-epure-sonarsource opened this issue Feb 16, 2024 · 0 comments
Open

Add Author Signature verification for all packages #1882

andrei-epure-sonarsource opened this issue Feb 16, 2024 · 0 comments
Labels
Type: Tooling

Comments

@andrei-epure-sonarsource
Copy link
Contributor

Inside NuGet config we only verify the signature for Newtonsoft.JSON.

We should verify the signature also for:

  • Microsoft.Build 15.9.20 - has signature
  • Microsoft.Build.Utilities.Core 15.9.20 - has signature
  • System.Text.Json 6.0.6 - has signature
  • System.Net.Http 4.3.4 - has signature
  • System.ValueTuple 4.5.0 - has signature
  • Google.Protobuf 3.25.0 - has signature
  • Grpc.Tools 2.59.0 - has signature

because these packages are signed.

How to extract the author signature:

NuGet.exe verify -signatures microsoft.codeanalysis.csharp.workspaces.4.8.0.nupkg

The author signature is the SHA256 :

Signature type: Author
Subject Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
SHA256 hash: 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353

Do the same for each of the package and add an entry, moving the author name from the "repository" section to the "author" section.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Tooling
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrei-epure-sonarsource @costin-zaharia-sonarsource