Closed valentinmarinro closed 1 year ago
martincostello
commented
1 year ago Duplicate of https://github.com/App-vNext/Polly/issues/1323#issuecomment-1598521023.
On what operating system and tooling are you trying to download the package on and then validate the package with?
valentinmarinro
commented
1 year ago Hi, it is on Windows and the agent in pipeline is defined like this:
pool: name: Default demands:
valentinmarinro
commented
1 year ago We also check if the certificates are installed, and they are for both NuGet.org and .NET Foundation
martincostello
commented
1 year ago And how exactly are you attempting to validate the package signature?
Note that certificates won't be installed into a computer by default as they are not trusted root certificates like those used for TLS certificates, but Windows Authenticode certificates.
Do you validate any other NuGet packages' signatures in the same workflow, such as the .NET ones (e.g. System.Text.Json), as they are similarly Authenticode signed?
valentinmarinro
commented
1 year ago Yes, we are using System.Text.Json (latest stable version) on all our microservices that uses the same process and pipelines, also we have the flag -warnaserror enabled
valentinmarinro
commented
1 year ago These are some examples of the libraries we have in the same process where Polly fails that are signed, one from Microsoft and one thirdparty from BouncyCastle:
valentinmarinro
commented
1 year ago And this is the System.Text.Json library that we use in the same process that Polly fails
martincostello
commented
1 year ago Sure, but that's you opening them and manually visually inspecting them. What does NuGet Package Explorer show you if you open the package for Polly 7.2.4 in the same environment you generated those screenshots?
How are you validating them in the build process where you are having issues, and do those same packages pass the same validation?
Also note that in the screenshot for Castle.Core there is no Publisher signature. There's just the Repository signature from NuGet.org. None of the libraries within it appear to be Authenticode signed either.
valentinmarinro
commented
1 year ago This is from my local development machine, I don't have access to the build agent machine: All packages are validate in the same way.
This is the command from the pipeline:
"C:\Program Files\dotnet\dotnet.exe" build D:\DATA\BuildAgent\_work\619\s\src\[ProjectFolder]\[ProjectName].csproj "-dl:CentralLogger,\"D:\DATA\BuildAgent\_work\_tasks\DotNetCoreCLI_5541a522-603c-47ad-91fc-a4b1d163081b\2.181.0\dotnet-build-helpers\Microsoft.TeamFoundation.DistributedTask.MSBuild.Logger.dll\"*ForwardingLogger,\"D:\DATA\BuildAgent\_work\_tasks\DotNetCoreCLI_5541a522-603c-47ad-91fc-a4b1d163081b\2.181.0\dotnet-build-helpers\Microsoft.TeamFoundation.DistributedTask.MSBuild.Logger.dll\"" --configuration Release -warnaserror /p:Version=2023.3.0.0 /p:TreatWarningsAsErrors=true /p:AssemblyVersion=2023.3.0.588 /p:InformationalVersion=2023.3.0-develop0588
Error NU3003: Package 'Polly 7.2.4' from source 'https://api.nuget.org/v3/index.json': The package signature is invalid or cannot be verified on this platform.
martincostello
commented
1 year ago The problem here is that we both agree that they appear to be valid on a local development machine on Windows using NuGet Package Explorer. Even if you don't have access to the build agent, you should be able to provide us with details about exactly what the build process is where the problem is happening.
The command is useful to a degree, but there's a lot of context not shown, such as where in the build the error is happening.
The warning (turned to an error by -warnaserror and /p:TreatWarningsAsErrors=true) is Scenario 2 in this document.
Can you provide us with more details, such as the operating system version, the version of the .NET SDK you're using, the TFM you're building for etc.? It could possibly be that older versions of the .NET SDK have a bug/issue that means it can't correctly validate the package signatures.
Are you explicitly asking NuGet to validate signatures of packages, or is the default behaviour just doing this during dotnet restore?
I've got Polly v7.2.4 being used in various projects of my own in GitHub Actions here in GitHub (and internally proxied through Artifactory where I work), and we've not observed any issues with this restoring the packages from NuGet.org. Many of these projects also have TreatWarningsAsErrors=true set, so I would expect them to fail the same way as you're seeing this failure if it was a general problem.
So far this issue and the other one I linked to seem to be environment-specific with the validation tooling, rather than an issue with the package itself - as your own screenshot shows, the package is signed and the signature is valid.
I'm going to do a quick check in an open source project of mine using Polly v7.2.4 to explicitly enable package signature validation and see if there's any errors during package restore.
martincostello
commented
1 year ago Explicitly using nuget verify on my Windows development machine, the package is verified (as expected). If I tamper with it, then it correctly fails.
❯ dotnet nuget verify .\polly.7.2.4.nupkg
Verifying Polly.7.2.4
Signature type: Author
Subject Name: CN=Polly (.NET Foundation), O=Polly (.NET Foundation), L=Redmond, S=Washington, C=US, SERIALNUMBER=603 389 068, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Washington, OID.1.3.6.1.4.1.311.60.2.1.3=US
SHA256 hash: B9752340121AB41446EEAB7484B7A8F176B54F3357CD601A4BE3DC7B1D08D11D
Valid from: 02/06/2023 01:00:00 to 02/06/2026 00:59:59
Signature type: Repository
Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
SHA256 hash: 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4
Valid from: 16/02/2021 00:00:00 to 16/05/2024 00:59:59
❯ dotnet nuget verify .\tampered-polly.7.2.4.nupkg
Verifying Polly.7.2.4
error: NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an invalid value (8).
Package signature validation failed.So I changed the NuGet.config in one of my repos to enforce signature validation and added various settings to trust the NuGet packages used by that application. With those trusted repositories/owners/publishers, package restore succeeds for the application (I'm not going to go through the exhaustive process of adding the settings for the test projects too).
Without adding a trusted signer for the package, a NU3034 error occurs on Windows:
D:\a\costellobot\costellobot\src\Costellobot\Costellobot.csproj : error NU3034: Package 'Polly 7.2.4' from source 'https://api.nuget.org/v3/index.json': signatureValidationMode is set to require, so packages are allowed only if signed by trusted signers; however, no trusted signers were specified.
Package 'Polly 7.2.4' from source 'https://api.nuget.org/v3/index.json':
Signature type: Author
Package 'Polly 7.2.4' from source 'https://api.nuget.org/v3/index.json': Subject Name: CN=Polly (.NET Foundation), O=Polly (.NET Foundation), L=Redmond, S=Washington, C=US, SERIALNUMBER=603 389 068, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Washington, OID.1.3.6.1.4.1.311.60.2.1.3=US
Package 'Polly 7.2.4' from source 'https://api.nuget.org/v3/index.json': SHA256 hash: B9752340121AB41446EEAB7484B7A8F176B54F3357CD601A4BE3DC7B1D08D11D
Package 'Polly 7.2.4' from source 'https://api.nuget.org/v3/index.json': Valid from: 6/2/2023 12:00:00 AM to 6/1/2026 11:59:59 PMmacOS and Linux do not attempt to validate the package signatures as the functionality is not supported.
TL;DR - I can't replicate package signature validation failing due to an invalid signature.
valentinmarinro
commented
1 year ago Hey, thank you so much for your investagation, below are the requested information:
We are using Azure DevOps On-Premise: Added an excerpt from the pipeline run with diagnostics, also added below all agent capabilities:
OS: Microsoft Windows Server 2016 Standard
TFMs: (we are using .net 6.0):
`Microsoft (R) Build Engine version 17.1.1+a02f73656 for .NET
"C:\Program Files\dotnet\dotnet.exe" build D:\DATA\BuildAgent_work\619\s\src[ProjectName][ProjectName].csproj "-dl:CentralLogger,\"D:\DATA\BuildAgent_work_tasks\DotNetCoreCLI_5541a522-603c-47ad-91fc-a4b1d163081b\2.181.0\dotnet-build-helpers\Microsoft.TeamFoundation.DistributedTask.MSBuild.Logger.dll\"*ForwardingLogger,\"D:\DATA\BuildAgent_work_tasks\DotNetCoreCLI_5541a522-603c-47ad-91fc-a4b1d163081b\2.181.0\dotnet-build-helpers\Microsoft.TeamFoundation.DistributedTask.MSBuild.Logger.dll\"" --configuration Release -warnaserror /p:Version=2023.3.0.0 /p:TreatWarningsAsErrors=true /p:AssemblyVersion=2023.3.0.588 /p:InformationalVersion=2023.3.0-develop0588 Microsoft (R) Build Engine version 17.1.1+a02f73656 for .NET Copyright (C) Microsoft Corporation. All rights reserved.
Determining projects to restore...
D:\DATA\BuildAgent_work\619\s\src[ProjectName][ProjectName].csproj : error NU3003: Package 'Polly 7.2.4' from source 'https://api.nuget.org/v3/index.json': The package signature is invalid or cannot be verified on this platform. `
valentinmarinro
commented
1 year ago And this is an excerpt from the yaml pipeline were we define the build step
valentinmarinro
commented
1 year ago We also added the NuGet.config in the solution folder with the trusted signers to which you point out, but still received the same error. We even put the author polly to allwUntrustedRoot=true, and still got the same error.
<author name="Polly">
<certificate fingerprint="B9752340121AB41446EEAB7484B7A8F176B54F3357CD601A4BE3DC7B1D08D11D" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</author>I created a specific targeted repository to test this and I can reproduce this with the following .NET SDK versions:
I cannot reproduce this with the following .NET SDK versions:
This suggests to me that this is a bug (or missing functionality) in the NuGet client that ships with previous versions of the .NET SDK/MSBuild (from your build output, it's using MSBuild 17.1 compared to the latest of 17.6).
If this is the case then this is outside of our control. I can suggest three potential courses of action:
valentinmarinro
commented
1 year ago Thank you so much Martin, will try to update to 6.0.400 and test again.
valentinmarinro
commented
1 year ago I will close this issue as it is in our hands now, thanks.
GavinOsborn
commented
1 year ago Just popping in to say thanks for the write-up, this saved what would have been hours of head scratching in my team!
Summary: On Azure Pipelines build step I get this error for 7.2.4 Nuget package Polly 7.2.4 The package signature is invalid or cannot be verified on this platform. But version 7.2.3 works correctly.
Expected behavior: Signed package.
Actual behaviour: Not signed package.
Steps / Code to reproduce the problem: While trying to restore nuget package , I'm getting the following error:
Package 'Polly 7.2.4' from source 'https://api.nuget.org/v3/index.json': The package signature is invalid or cannot be verified on this platform.