Closed campersau closed 4 years ago
What is the API spec for a timestamp server?
I think it's this: https://www.rfc-editor.org/rfc/rfc3161
I think it's this: https://www.rfc-editor.org/rfc/rfc3161
Looks promising, I've been trying to find that doc, or some mention of it, anywhere to no avail. So if we implement that, should be able to timestamp.
The certificate that's used to timestamp still needs to be trusted. X509 is a complex beast, and I only have a superficial understanding. If you're doing this for internal packages only, and already have a company internal trusted Certificate Authority, where the company CA's trust is pushed to all employee machines via group policy, it could work. If you want to sign packages published to nuget.org, you have to use a certificate trusted by Windows by default.
Appreciate the bit of feedback. Right, Root and intermediate certs are trusted in the local Windows store along these lines. Thank you for the heads up.
So as a starting exercise, I provide a do-nothing POST minimal API (dotnet), so far so good, but it is not clear whatsoever in the RFC whether the HTTP(S) protocol transport should handle GET, POST, whatever. Apparently it is POST (after some debugging). That's number one.
Number two, working on dissecting the HttpContext.Request
for key information that nuget.exe
might be providing for time stamper. However, nuget.exe
is dumping the following warning before ever receiving a response, timing out, whatever.
WARNING: NU3018: RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
So, the question in my mind is, how should we be configuring the certs? root? intermediate? and the cert (presumed chain) itself, for signing purposes. Which SHA? i.e. I setup SHA512
, but it (nuget.exe
) does not seem to want anything other than SHA256
? So on and so forth.
Details about Problem
Package signing with timestamp server does not work in .NET 5. I have tracked down the issue to this code which was recently added in https://github.com/NuGet/NuGet.Client/pull/3458 The timestamp server in my tests returned
application/timestamp-reply
asContent-Type
. If I comment this code out or accept bothapplication/timestamp-response
andapplication/timestamp-reply
everything works fine.NuGet product used: Source Code / NuGet Package
NuGet version: latest commit https://github.com/NuGet/NuGet.Client/commit/088004379cb99890f766e9b7a0a29f7b080f888b
dotnet.exe --version: 5.0.100-preview.6.20318.15 / 5.0.100-preview.7
VS version: 16.6.2
OS version (i.e. win10 v1607 (14393.321)): Windows 10 1909 Build 18363.778)
Worked before? If so, with which NuGet version: Yes, before https://github.com/NuGet/NuGet.Client/pull/3458
Detailed repro steps so we can see the same problem
Create a new test case in
NuGet.Client\test\NuGet.Core.Tests\NuGet.Commands.Test\SignCommandRunnerTests.cs
Test should pass on platforms netframework, net 5.0.
Issue first reported here: https://github.com/NuGetPackageExplorer/NuGetPackageExplorer/issues/1050
cc: @clairernovotny