search

NuGet / NuGetGallery

NuGet Gallery is a package repository that powers https://www.nuget.org. Use this repo for reporting NuGet.org issues.
https://www.nuget.org/
Apache License 2.0
1.54k stars 645 forks source link

[Feature]: Support for "Bring Your Own" Author Certificate for Package Signing on NuGet.org #10202

Open JonDouglas opened 2 weeks ago

JonDouglas commented 2 weeks ago

Related Problem

No response

The Elevator Pitch

Currently, NuGet.org enforces an "all or nothing" policy when it comes to package signing. This means that users must either sign all packages with a single certificate or none at all. However, there is no flexibility to allow authors to use their own valid signing certificates per package. This is restrictive for users who may wish to maintain different security policies across their packages or who have specific compliance requirements involving external certificates.

https://learn.microsoft.com/en-us/nuget/create-packages/sign-a-package#manage-signing-requirements-for-your-package-on-nugetorg

https://learn.microsoft.com/en-us/nuget/reference/signed-packages-reference

Introduce support for a "bring your own" valid author certificate policy where developers can sign individual packages with different certificates if required. This would allow more flexibility in managing security policies across multiple packages.

Additional Context and Details

No response

erdembayar commented 1 week ago

Kind of Scoped signing.

JonDouglas commented 5 days ago

Another way to think of this ask would be allow owners on NuGet.org to enforce an author signature requirement which allows other owners to bring their own certificate.