Home: [Spec]: add command for verifying signed packages

Created on 9 Oct 2017  Â·  9Comments  Â·  Source: NuGet/Home

https://github.com/NuGet/Home/wiki/NuGet-Verify-Command

Signing
Source
picture dtivel

All 9 comments

A new command is necessary to verify a signed package from the command line. Use "signtool verify /v" as an inspiration.

dtivel picture dtivel on 9 Oct 2017

In all of our commands we have just 2 verbosity levels, detailed and normal.

I'm not saying that's great, in fact I think we should improve it, but we should discuss whether we want to keep the same pattern.

nkolev92 picture nkolev92 on 11 Oct 2017

@nkolev92 nuget docs mention three level of verbosity... here a reference for push command

PatoBeltran picture PatoBeltran on 11 Oct 2017 
    -Signer <cert_hash> … - Verify that the signer certificate matches with one of the specified hashes.

I assume you mean cert fingerprint by cert_hash?
I think it should be consistent with the naming in the sign command.

nkolev92 picture nkolev92 on 11 Oct 2017
👍1

@PatoBeltran Ah, my bad.
Double checked it right now, I have seen cases in which we don't respect the quiet level so that had me confused.

nkolev92 picture nkolev92 on 11 Oct 2017
👍1

Some errors and warnings that should be displayed are:

Warnings

  • A signing certificate doesn't chain up to a trusted root
  • A timestamper certificate doesn't chain up to a trusted root

How will verification procedure acquire list of trusted roots?

jariq picture jariq on 30 Nov 2017

@jariq .NET's SignedCms object does the validation that the certificate chains up to a trusted root, therefore the verification procedure just needs to delegate that check to the certificate chain building engine in .NET

PatoBeltran picture PatoBeltran on 1 Dec 2017

nuget verify signature should show a similar output as signtool.exe. In detailed mode it shows the certificate chain, the signed hash and the timestamp value.

eg:

Verifying: nuget.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): AC3F2753CC08C76E30786DD766381127ABA1E2BF

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 15:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Mon Aug 31 14:29:32 2020
        SHA1 hash: 3CAF9BA2DB5570CAF76942FF99101B993888E257

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Sat Aug 11 12:11:15 2018
            SHA1 hash: 49D59D86505D82942A076388693F4FB7B21254EE

The signature is timestamped: Fri Nov 17 12:52:33 2017
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 15:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Time-Stamp PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Sat Apr 03 05:03:09 2021
        SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA
            Expires:   Fri Sep 07 09:58:50 2018
            SHA1 hash: 9D2361FA5394ACB4D0C59A07D23DFFFB50E37484


Successfully verified: nuget.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
rido-min picture rido-min on 4 Dec 2017
👍1

This work has been checked into 4.6 codebase. Closing.

rrelyea picture rrelyea on 11 Jan 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mrward picture mrward  Â·  3Comments
livarcocc picture livarcocc  Â·  3Comments
zhili1208 picture zhili1208  Â·  3Comments
msaraf1 picture msaraf1  Â·  3Comments
livarcocc picture livarcocc  Â·  3Comments