Package signing with timestamp server does not work on .NET 5.0

[campersau]

Details about Problem

Package signing with timestamp server does not work in .NET 5. I have tracked down the issue to this code which was recently added in https://github.com/NuGet/NuGet.Client/pull/3458 The timestamp server in my tests returned application/timestamp-reply as Content-Type. If I comment this code out or accept both application/timestamp-response and application/timestamp-reply everything works fine.

NuGet product used: Source Code / NuGet Package

NuGet version: latest commit https://github.com/NuGet/NuGet.Client/commit/088004379cb99890f766e9b7a0a29f7b080f888b

dotnet.exe --version: 5.0.100-preview.6.20318.15 / 5.0.100-preview.7

VS version: 16.6.2

OS version (i.e. win10 v1607 (14393.321)): Windows 10 1909 Build 18363.778)

Worked before? If so, with which NuGet version: Yes, before https://github.com/NuGet/NuGet.Client/pull/3458

Detailed repro steps so we can see the same problem

1. Create a new test case in NuGet.Client\test\NuGet.Core.Tests\NuGet.Commands.Test\SignCommandRunnerTests.cs

   [Fact]
   public async Task ExecuteCommandAsync_WithCertificate()
   {
   using (var test = await Test.CreateAsync(_fixture.GetDefaultCertificate()))
   {
       test.Args.CertificateSubjectName = "your code signing certificate name";
       test.Args.CertificateStoreLocation = StoreLocation.CurrentUser;
       test.Args.CertificateStoreName = StoreName.My;
       test.Args.SignatureHashAlgorithm = HashAlgorithmName.SHA256;
       test.Args.TimestampHashAlgorithm = HashAlgorithmName.SHA256;
       test.Args.Timestamper = "http://timestamp.digicert.com";
   
       var result = await test.Runner.ExecuteCommandAsync(test.Args);
   
       Assert.Equal(0, result);
   }
   }

2. Test should pass on platforms netframework, net 5.0.

Issue first reported here: https://github.com/NuGetPackageExplorer/NuGetPackageExplorer/issues/1050

cc: @clairernovotny

[mwpowellhtx]

What is the API spec for a timestamp server?

[zivkan]

I think it's this: https://www.rfc-editor.org/rfc/rfc3161

[mwpowellhtx]

I think it's this: https://www.rfc-editor.org/rfc/rfc3161

Looks promising, I've been trying to find that doc, or some mention of it, anywhere to no avail. So if we implement that, should be able to timestamp.

[zivkan]

The certificate that's used to timestamp still needs to be trusted. X509 is a complex beast, and I only have a superficial understanding. If you're doing this for internal packages only, and already have a company internal trusted Certificate Authority, where the company CA's trust is pushed to all employee machines via group policy, it could work. If you want to sign packages published to nuget.org, you have to use a certificate trusted by Windows by default.

[mwpowellhtx]

Appreciate the bit of feedback. Right, Root and intermediate certs are trusted in the local Windows store along these lines. Thank you for the heads up.

[mwpowellhtx]

So as a starting exercise, I provide a do-nothing POST minimal API (dotnet), so far so good, but it is not clear whatsoever in the RFC whether the HTTP(S) protocol transport should handle GET, POST, whatever. Apparently it is POST (after some debugging). That's number one.

Number two, working on dissecting the HttpContext.Request for key information that nuget.exe might be providing for time stamper. However, nuget.exe is dumping the following warning before ever receiving a response, timing out, whatever.

WARNING: NU3018: RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.

So, the question in my mind is, how should we be configuring the certs? root? intermediate? and the cert (presumed chain) itself, for signing purposes. Which SHA? i.e. I setup SHA512, but it (nuget.exe) does not seem to want anything other than SHA256? So on and so forth.