NuGet / Home

Repo for NuGet Client issues
Other
1.5k stars 252 forks source link

NuGet sign command should support custom certificate stores #13373

Open lemccomb opened 7 months ago

lemccomb commented 7 months ago

NuGet Product(s) Involved

NuGet.exe

The Elevator Pitch

Loading the My:CurrentUser certificate store can be a performance bottleneck for signing operations, so it is often a better practice to use a custom certificate store, especially in build systems and other contexts that make a lot of signing calls. The NuGet.exe sign command should enable this pattern by allowing the user to sign with a certificate in a custom store.

Additional Context and Details

Currently, running the sign command with -CertificateStoreName set to a custom store name returns the following error: Invalid value provided for 'CertificateStoreName'

zivkan commented 7 months ago

The current implementation (code search found dotnet nuget sign before nuget.exe sign) that we're trying to parse the value into a StoreName enum value: https://github.com/NuGet/NuGet.Client/blob/7ad6fcc9c56c960975c37b2416c7eae1d53ba3fd/src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Signing/SignCommand.cs#L192-L209

However, X509Store's constructor has an overload with a string name: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509store.-ctor?view=net-8.0#system-security-cryptography-x509certificates-x509store-ctor(system-string)

Therefore, I assume it's technically feasible, even if I couldn't figure out how to let certmanager to create a custom store.

lemccomb commented 7 months ago

Yeah, that's what I figured, and that's how we were doing it in the Windows build signing code as well. But we run >100k signing operations/day, so the perf hit from reading the entire My store was adding up. So now I'm moving our build sign code to use a custom cert store and NuGet is the last hold-out.

For now, as a work-around, I'm copying the NuGet cert into the My store just before signing but it means checking the store for the cert for every package, so still not idea from a perf standpoint.

Thanks for the quick reply, Leith

Sent from Outlookhttp://aka.ms/weboutlook


From: Andy Zivkovic @.> Sent: Friday, April 5, 2024 2:53 AM To: NuGet/Home @.> Cc: Author @.***> Subject: Re: [NuGet/Home] NuGet sign command should support custom certificate stores (Issue #13373)

The current implementation (code search found dotnet nuget sign before nuget.exe sign) that we're trying to parse the value into a StoreName enum value: https://github.com/NuGet/NuGet.Client/blob/7ad6fcc9c56c960975c37b2416c7eae1d53ba3fd/src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Signing/SignCommand.cs#L192-L209

However, X509Store's constructor has an overload with a string name: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509store.-ctor?view=net-8.0#system-security-cryptography-x509certificates-x509store-ctor(system-string)

Therefore, I assume it's technically feasible, even if I couldn't figure out how to let certmanager to create a custom store.

— Reply to this email directly, view it on GitHubhttps://github.com/NuGet/Home/issues/13373#issuecomment-2039372575 or unsubscribehttps://github.com/notifications/unsubscribe-auth/A367MPUU6EBC4AAB4C7TZL3Y3ZX73BFKMF2HI4TJMJ2XIZLTS6BKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVEYTQMBRGE3DKOJSURXGC3LFVFUGC427NRQWEZLMQKSXMYLMOVS2SMJYGI4TENBYG422I3TBNVS2S2DBONPWYYLCMVWIFJLWMFWHKZNJG4YDENRUHE3DCMFENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWUTOMRSHAYTCNBTGOSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44WQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKBSHE4TSNRVGEZYFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDEMRWGM4TQMJWGWBKI5DZOBS2K3DBMJSWZJLWMFWHKZNJGE4DAMJRGY2TSMUCUR2HS4DFUVWGCYTFNSSXMYLMOVS2SMJYGI4TENBYG42YFJDUPFYGLJLMMFRGK3FFOZQWY5LFVE3TAMRWGQ4TMMJQQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKJXGIZDQMJRGQZTHJ3UOJUWOZ3FOKTGG4TFMF2GK. You are receiving this email because you authored the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.