NuGet / NuGetGallery

NuGet Gallery is a package repository that powers https://www.nuget.org. Use this repo for reporting NuGet.org issues.
https://www.nuget.org/
Apache License 2.0
1.55k stars 643 forks source link

[NuGet.org Bug]: Uploaded certificate is not properly validating package upload #10058

Open bradwilson opened 4 months ago

bradwilson commented 4 months ago

Impact

I'm unable to use NuGet.org

Describe the bug

I have recently updated my code signing certificate used for the xunit organization. When uploading packages signed with the new certificate, it was failing validation.

So I extracted the certificate from the signed NuGet package to create the required DER encoded CER file. I verified that the SHA1 matches what the failure e-mail shows. (BTW, it's SUPER annoying that you show the SHA256 of a certificate on the organization edit page, but the SHA1 of the certificate when it fails to sign properly. Please pick one thing and use it everywhere!)

According to PowerShell, these are the SHA1 and SHA256 hashes for the .cer file:

Algorithm   Hash                                                               Path
---------   ----                                                               ----
SHA1        E49A663526BCC40878466BE4F49F9833B3302C0A                           xunit.cer
SHA256      0D7662406AABB78B853A1901343BF9F7757492B785402172C5962D8204408161   xunit.cer

This is what the e-mail told me:

The package was signed, but the signing certificate (SHA-1 thumbprint e49a663526bcc40878466be4f49f9833b3302c0a) is not associated with your account.

And this is what the organization shows for the uploaded certificate (the old one is still there):

image

I have tried uploading packages several times and it still continues to fail, despite the certificate being there. I uploaded it about 3pm Pacific time but it still fails even now at 9pm Pacific time (I thought maybe it needed some time to work itself through the system).

At this point I believe there is something broken in the process and I need help figuring out what the broken piece is. If necessary, I can provide both a signed NuGet package that I'm trying to upload, as well as the .CER file that I extracted from the signed package.

Repro Steps

  1. Get the package that's signed with my key (you don't have that yet)
  2. Try to upload it
  3. Fail

Expected Behavior

I can upload the package(s).

Screenshots

No response

Additional Context and logs

No response

bradwilson commented 4 months ago

This seems to be working now, but I'm not 100% sure I know why, so I'm going to leave this open so that someone can review logs and see what happened.

If the problem turns out to be that there is a required time lag between certificate upload and usability, that needs to be very strongly highlighted in the certificate UI so that users can have their expectations set appropriately.

bradwilson commented 4 months ago

There is a suggestion that there is some hard-coded logic in NuGet related to dotnetfoundation that makes them a sole arbiter of certificate validity if they're listed as a package owner. Any truth to that?

erdembayar commented 4 months ago

Could you please send us support request from https://www.nuget.org/policies/Contact after logging into nuget.org? Please give us your account name and organization account you're using?

erdembayar commented 4 months ago

One possible scenario is to have two accounts, one personal and the other organizational. If you upload the certificate using the personal account but push the package using the organizational account(or vice versa), you might experience the above problem.

bradwilson commented 4 months ago

I already gave you all the information you're asking for. I'm not sure how filling out a different form will help.

erdembayar commented 4 months ago

I already gave you all the information you're asking for. I'm not sure how filling out a different form will help.

We don't know your nuget.org account if you want us to investigate this. By using that form, we can have a private discussion instead of a public one.

bradwilson commented 4 months ago

How long should I expect it to take to get an answer to my question? I submitted the e-mail a week ago.

JonDouglas commented 2 months ago

@glennawatson @ChrisSfanos for visibility on the DNF rules.

@bradwilson yes i believe for some reason there is specific logic associated with the dotnetfoundation account. Glenn/Chris may have more details as to why that is the case and any future plans for that experience.

bradwilson commented 2 months ago

I was able to resolve this conflict by deleting dotnetfoundation as co-owner of my packages. Adding them was done without my knowledge so this was the correct resolution.

glennawatson commented 2 months ago

@bradwilson These rules have existed for a while. They were introduced by Claire back when she was ED.

The board in recent meeting has been discussing this actively. I been bringing it up over the last 2-3 board meetings to get the co-owner rules relaxed and also been discussing with @JonDouglas on how to go about this.

We are likely discussing in September's project committee meeting to discuss finalising some rules.