Open v-luzh opened 1 year ago
Thanks for filing this issue. Out of curiosity I tried dotnet pack command —output nupkgs
which failed because the output switch format was incorrect.
dotnet pack .\ClassLibrary9.csproj —output nupkgs
MSBuild version 17.7.0-preview-23320-09+d30eef85d for .NET
MSBUILD : error MSB1008: Only one project can be specified.
Full command line: 'C:\Program Files\dotnet\sdk\7.0.400-preview.23322.28\MSBuild.dll -maxcpucount -verbosity:m -restore -target:pack --property:_IsPacking=true .\ClassLibrary9.csproj -output nupkgs -distributedlogger:Microsoft.DotNet.Tools.MSBuild.MSBuildLogger,C:\Program Files\dotnet\sdk\7.0.400-preview.23322.28\dotnet.dll*Microsoft.DotNet.Tools.MSBuild.MSBuildForwardingLogger,C:\Program Files\dotnet\sdk\7.0.400-preview.23322.28\dotnet.dll'
Switches appended by response files:
Switch: -output
Hi @kartheekp-ms, we tried the dotnet pack .\Package.csproj —output nupkgs
on Windows and got a different result below. The reason is: it will make the incorrect "—output" to "-output" automatically when running "dotnet pack" command on Windows. But the package had not been packed - that's expected since the command is wrong. And the key point of this original bug: running an incorrect command getting a correct result.
C:\Users\v-luzh\source\repos\Package002\Package002>cd C:\Users\v-luzh\source\repos\Package003\Package003
C:\Users\v-luzh\source\repos\Package003\Package003>dotnet pack .\Package003.csproj -output nupkgs MSBuild version 17.7.0-preview-23281-03+4ce2ff1f8 for .NET MSBUILD : error MSB1001: Unknown switch. Full command line: 'C:\Program Files\dotnet\sdk\8.0.100-preview.5.23303.2\MSBuild.dll -maxcpucount -verbosity:m -restore -target:pack --property:_IsPacking=true -property:Configuration=Release .\Package003.csproj -output nupkgs -distributedlogger:Microsoft.DotNet.Tools.MSBuild.MSBuildLogger,C:\Program Files\dotnet\sdk\8.0.100-preview.5.23303.2\dotnet.dll*Microsoft.DotNet.Tools.MSBuild.MSBuildForwardingLogger,C:\Program Files\dotnet\sdk\8.0.100-preview.5.23303.2\dotnet.dll' Switches appended by response files: Switch: -output
@v-luzh
I tried to repro this on WSL Ubuntu, but I couldn't repro it. It failed as expected when I pass —output
, so far 111
folder is not created.
./PatchedSDK/dotnet nuget sign ./NugetProj/CheckRuntime.1.0.0.nupkg --certificate-path ./NugetProj/b8d976afc5dad83051d2612e1020bc12da72cf53.pfx --certificate-password "" --timestamper http://timestamp.digicert.com/ -v n —output 111
But if I change —
with --
then works as expected
./PatchedSDK/dotnet nuget sign ./NugetProj/CheckRuntime.1.0.0.nupkg --certificate-path ./NugetProj/b8d976afc5dad83051d2612e1020bc12da72cf53.pfx --certificate-password "" --timestamper http://timestamp.digicert.com/ -v n --output 222
Hi @erdembayar, the key to repro this bug is the character "—". I guess it's different between what you used and what we used in the bug. Please copy the command "—output" from the title of the bug.
Note: that's how I created the character: I typed "--" in a text file on MacBook and the iOS system automatically changed it to "—". And we used the "—output" on both Windows & Linux, this bug reproes.
Hi @erdembayar, @kartheekp-ms, It only reproes on Linux and iOS platforms. I just realize why you cannot repro this bug. The key point of this issue is: the package in the default directory (/Users/nuget/Desktop/patchSDK/PatchedPackages/Package06.1.0.0.nupkg)-- [not the new output path which the "dotnet sign package
" command gave (/Users/nuget/Desktop/otheroutput)] was signed successfully with the incorrect option "—output".
Let me describe it in details:
In step1, we created and packed a package with patched .NET SDK. So, the package in the default directory is like "/Users/nuget/Desktop/patchSDK/PatchedPackages/Package06.1.0.0.nupkg".
In step4, the case is that we expect to sign the package into another output directory like (/Users/nuget/Desktop/otheroutput). But we gave an incorrect option “—output”, so the expect result should be the package in the default directory (/Users/nuget/Desktop/patchSDK/PatchedPackages/Package06.1.0.0.nupkg) would not be signed since we didn't use the default directory in the dotnet nuget sign
command in this step4. However, you can see in the Verbose Logs, the package in the default directory was signed successfully!
It still reproes on .NET SDK Version: 8.0.400-rtm.24367.3 patched with Dev\6.12.0.33.
NuGet Product Used
dotnet.exe
Product Version
.NET SDK Version: 7.0.305
Worked before?
No response
Impact
It bothers me. A fix would be nice
Repro Steps & Context
Repro Steps:
.\CreateTestCertificate.ps1 -AddAsTrustedRootAuthority -Password password -GenerateCerFile
(in the powershell "Developer Command Prompt"). On Linux/macOS: Copy the .cer file(should be generated under the same path with .pfx file) and the .pfx file from the above Windows machine to Linux /macOS machine.(before the certificate expires)./dotnet run --project ./Entropy/TrustTestCert/TrustTestCert.csproj --framework net7.0 -- add -c <CertificateFilePath> -vsd <VersionedSdkDirectoryPath>
.\patchedSDK\dotnet.exe nuget sign <PackageFilePath> --certificate-path <PfxFilePath> --certificate-password password --timestamper http://timestamp.digicert.com/ —output .\<otherPath> -v n
On Linux/macOS:./patchedSDK/dotnet nuget sign <PackageFilePath> --certificate-path <PfxFilePath> --certificate-password password --timestamper http://timestamp.digicert.com/ —output .\<otherPath> -v n
Expected:
The package in default output directory should not be signed successfully since the option provided is incorrect.
Actual:
The package in default output directory is signed successfully as below info.
Notes:
1.It reproes on MacOS and Linux platforms, doesn't repro on Windows. 2.It was not found in the original case since we changed the option format for exploratory testing.
Verbose Logs
Bug Info (take the Mac for example):
PS /Users/nuget/Desktop/patchSDK> ./dotnet nuget sign /Users/nuget/Desktop/patchSDK/PatchedPackages/Package06.1.0.0.nupkg --overwrite --certificate-path /Volumes/CerShare/DF01C423C67C4E735BF31CC2972FC62C8F674EBD.pfx --certificate-password password --timestamper http://timestamp.digicert.com/ —output /Users/nuget/Desktop/otheroutput -v n X.509 certificate chain validation will use the fallback certificate bundle at '/Users/nuget/Desktop/patchSDK/sdk/7.0.305/trustedroots/codesignctl.pem'. X.509 certificate chain validation will use the fallback certificate bundle at '/Users/nuget/Desktop/patchSDK/sdk/7.0.305/trustedroots/timestampctl.pem'.
Signing package(s) with certificate: Subject Name: CN=Test certificate for testing NuGet package signing SHA1 hash: DF01C423C67C4E735BF31CC2972FC62C8F674EBD SHA256 hash: B9A01F780ABA2E6766CA0EE4CA9F01166E1F6C0443765FE001ED54E5F1F32FD5 Issued by: CN=Test certificate for testing NuGet package signing Valid from: 6/30/2023 12:58:58 AM to 7/1/2023 12:58:58 AM Timestamping package(s) with: http://timestamp.digicert.com/ error: File does not exist (—output).
Usage: dotnet nuget sign [arguments] [options]
Arguments: