NuGet.exe no longer checks Current User/Trusted People certificate store. Checks Machine/Trusted People store. Breaking change.

[stunney]

Steps to reproduce

Run your own private NuGet repository only accessible via HTTPS. Use a self signed certificate or a certificate signed by a CA that isn't currently trusted by the client.

Add a package to your project from nuget. org. Ensure that package also exists now in your private repo.

Now ensure that a NuGet.config file is present that only allows communication to this private repo and not nuget.org, for example.

Clear out the C:\Users.nuget cache

Add the certificate to 's Trusted People certificate store as the old nuget.exe 2.8 would do.

Run: dotnet restore

Expected behavior

The package should be downloaded successfully.

Actual behavior

error: An error occured while sending the request. error: A security error occured. info: Failed to retrieve information from remote source 'http://host/FindPackagesById()?id='Newtonsoft.json' err

Work-around

Add certificate to Local Computer (Machine)'s Trusted People store. This is a security issue if a machine is shared (build machines).

Environment data

dotnet --info output: .NET Command Line Tools (1.0.0-preview2-003121)

Product Information: Version: 1.0.0-preview2-003121 Commit SHA-1 hash: 1e9d529

Runtime Environment: OS Name: Windows OS Version: 6.3.9600 OS Platform: Windows RID: win81-x64

[blowdart]

What happens if you browse to the https endpoint in IE? Do you get a cert error then?

[stunney]

IE (11.0.9600.18321) - 11.0.31 (KB3154070) shows that the certificate could not be found and asks if I'd like to add it.

Strange that IE adds a trusted certificate to the Local Machine certificate store. What if I were running as an regular user and not as local admin?

This is a security issue for NuGet, regardless of what IE does. It can check the Machine cert stores first but it should also check Current User cert stores (Trusted People, and possibly Personal/MY) as well.

[blowdart]

It's not a nuget issue. It's a Windows issue. nuget uses Windows for its HTTPS transport, it doesn't do it itself. So if Windows says the certificate isn't trusted there's nothing nuget can do.

I'm surprised it worked before. The trusted people store isn't the right place for the cert, it should be in the Trusted Root CA store.

If you add it to the Root CA for the user account does that fix the problem?

[stunney]

My specific example is a lonely self-signed certificate, no authority backing it. If an intermediate or root CA were involved in the evaluation I would agree with you 100% or Intermediate Certificate Authorities, Third-Party Root Certificate Authorities. As for self-signed certs it really should be searching Personal, Trusted People/Publishers, Enterprise Trust.

There has to be a code change associated with this. I'm surprised that this worked before as well.

[blowdart]

That's not how self signed certs have worked though. They're their own CA, To allow IE to trust them I've always put them into the My Trusted CA store.

For example, from 2008 - https://blogs.technet.microsoft.com/sbs/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista/

2012 - https://blogs.adobe.com/livecycle/2012/04/rights-management-how-to-get-windows-7-to-trust-a-self-signed-server-certificate.html

I'm honestly surprised it's ever worked for you putting it in the trusted people store.