dtivel
commented
1 month ago Hi, @GaSkia. Thanks for the feedback.
The default behavior of NuGet signed package verification (and the DOTNET_NUGET_SIGNATURE_VERIFICATION environment variable) on Linux only applies to NuGet restore operations. .NET SDK install/update operations for dotnet workload and dotnet tool do not inherit NuGet's default restore behavior because they are not restore operations (e.g.: dotnet restore or dotnet build, which implicitly restores). The dotnet workload and dotnet tool commands use NuGet packages, but the .NET SDK performs its own verification. Perhaps documentation would be clearer if it said that dotnet workload and dotnet tool commands are not affected by NuGet's default restore behavior?
The .NET SDK team disabled automatic verification in their workload command via https://github.com/dotnet/sdk/pull/24590. I believe they are planning on adding it back via https://github.com/dotnet/sdk/issues/37469. However, this disablement/enablement is independent of NuGet restore operations.
Type of issue
Other (describe below)
Description
After a clean install on Arch Linux via the install.sh script, I proceeded to install the maui-android nuGet package with the following command:
the NuGet package signature verification is skipped (see output.txt) [output.txt](https://github.com/dotnet/docs/files/15326820/output.txt
As quoted above the documentation says that prior to .NET 8 sdk verification is disabled by default, so I assume that the verification on the version 8.0.204 should be enabled by default.
Page URL
https://learn.microsoft.com/en-us/dotnet/core/tools/nuget-signed-package-verification
Content source URL
https://github.com/dotnet/docs/blob/main/docs/core/tools/nuget-signed-package-verification.md
Document Version Independent Id
ccd7b834-2f46-7bff-fbd4-1409650da1cb
Article author
@dtivel
Metadata