Home: Sign fails with untrusted certificates

This is not an issue for nuget.exe sign. Sign accepts untrusted self issued certificates as signers with a warning (https://github.com/NuGet/NuGet.Client/blob/91316ff8e9b1092900961b8ddfc95766d74a8969/test/NuGet.Clients.FuncTests/NuGet.CommandLine.FuncTest/Commands/SignCommandTests.cs#L663).

Nevertheless, if a signing certificate is untrusted but is not self issue the sign operation does fail. This is by design and there is no current plan to update this behavior. I will close this issue because there is no current significant scenario where signing with untrusted not self issued certificates is needed. Feel free to reopen it in the future if an scenario is blocked by this.

@PatoBeltran : We're using an in-house CA and would like to sign in-house deployment packages (which are NuGet packages, as Octopus Deploy requires NuGet packages) with certificates signed by our in-house CA. We're using a 3rd-party service to sign our packages. The 3rd party service is not able to install our CA-root as a trusted root certificate. Therefore all our signing attempts with this 3rd party service fail. There should be an option to "ignore" certificate chains when signing NuGet packages. Please reopen and provide such an option! The 3rd party already confirmed us that they would use this option if provided.

We will investigate what's the best option to implement this. We need to build the chain anyway, one option will be to accept all the needed certificates.

There is now even the option to verify a chain with an untrusted root when using the trusted-signers feature (see "AllowUntrustedRoot" in https://docs.microsoft.com/en-us/nuget/tools/cli-ref-trusted-signers). So it's even more a pity that signing does not have an option "-allowUntrustedRoot" yet :-)

Is there any update on this? Would you accept pull requests for this?

Hi,

I have a very similar issue but can't figure out what's the root cause.
Can anyone help ?

/c @dtivel @rrelyea

Any updates?