[NuGet.org Bug]: Uploaded certificate is not properly validating package upload

[bradwilson]

Impact

I'm unable to use NuGet.org

Describe the bug

I have recently updated my code signing certificate used for the xunit organization. When uploading packages signed with the new certificate, it was failing validation.

So I extracted the certificate from the signed NuGet package to create the required DER encoded CER file. I verified that the SHA1 matches what the failure e-mail shows. (BTW, it's SUPER annoying that you show the SHA256 of a certificate on the organization edit page, but the SHA1 of the certificate when it fails to sign properly. Please pick one thing and use it everywhere!)

According to PowerShell, these are the SHA1 and SHA256 hashes for the .cer file:

Algorithm   Hash                                                               Path
---------   ----                                                               ----
SHA1        E49A663526BCC40878466BE4F49F9833B3302C0A                           xunit.cer
SHA256      0D7662406AABB78B853A1901343BF9F7757492B785402172C5962D8204408161   xunit.cer

This is what the e-mail told me:

The package was signed, but the signing certificate (SHA-1 thumbprint e49a663526bcc40878466be4f49f9833b3302c0a) is not associated with your account.

And this is what the organization shows for the uploaded certificate (the old one is still there):

I have tried uploading packages several times and it still continues to fail, despite the certificate being there. I uploaded it about 3pm Pacific time but it still fails even now at 9pm Pacific time (I thought maybe it needed some time to work itself through the system).

At this point I believe there is something broken in the process and I need help figuring out what the broken piece is. If necessary, I can provide both a signed NuGet package that I'm trying to upload, as well as the .CER file that I extracted from the signed package.

Repro Steps

1. Get the package that's signed with my key (you don't have that yet)
2. Try to upload it
3. Fail

Expected Behavior

I can upload the package(s).

Screenshots

No response

Additional Context and logs

No response

[bradwilson]

This seems to be working now, but I'm not 100% sure I know why, so I'm going to leave this open so that someone can review logs and see what happened.

If the problem turns out to be that there is a required time lag between certificate upload and usability, that needs to be very strongly highlighted in the certificate UI so that users can have their expectations set appropriately.

[bradwilson]

There is a suggestion that there is some hard-coded logic in NuGet related to dotnetfoundation that makes them a sole arbiter of certificate validity if they're listed as a package owner. Any truth to that?

[erdembayar]

Could you please send us support request from https://www.nuget.org/policies/Contact after logging into nuget.org? Please give us your account name and organization account you're using?

[erdembayar]

One possible scenario is to have two accounts, one personal and the other organizational. If you upload the certificate using the personal account but push the package using the organizational account(or vice versa), you might experience the above problem.

[bradwilson]

I already gave you all the information you're asking for. I'm not sure how filling out a different form will help.

[erdembayar]

I already gave you all the information you're asking for. I'm not sure how filling out a different form will help.

We don't know your nuget.org account if you want us to investigate this. By using that form, we can have a private discussion instead of a public one.

[bradwilson]

How long should I expect it to take to get an answer to my question? I submitted the e-mail a week ago.