Open GaSkia opened 1 month ago
Hi, @GaSkia. Thanks for the feedback.
The default behavior of NuGet signed package verification (and the DOTNET_NUGET_SIGNATURE_VERIFICATION
environment variable) on Linux only applies to NuGet restore operations. .NET SDK install/update operations for dotnet workload
and dotnet tool
do not inherit NuGet's default restore behavior because they are not restore operations (e.g.: dotnet restore
or dotnet build
, which implicitly restores). The dotnet workload
and dotnet tool
commands use NuGet packages, but the .NET SDK performs its own verification. Perhaps documentation would be clearer if it said that dotnet workload
and dotnet tool
commands are not affected by NuGet's default restore behavior?
The .NET SDK team disabled automatic verification in their workload
command via https://github.com/dotnet/sdk/pull/24590. I believe they are planning on adding it back via https://github.com/dotnet/sdk/issues/37469. However, this disablement/enablement is independent of NuGet restore operations.
Type of issue
Other (describe below)
Description
After a clean install on Arch Linux via the install.sh script, I proceeded to install the maui-android nuGet package with the following command:
the NuGet package signature verification is skipped (see output.txt) [output.txt](https://github.com/dotnet/docs/files/15326820/output.txt
As quoted above the documentation says that prior to .NET 8 sdk verification is disabled by default, so I assume that the verification on the version 8.0.204 should be enabled by default.
Page URL
https://learn.microsoft.com/en-us/dotnet/core/tools/nuget-signed-package-verification
Content source URL
https://github.com/dotnet/docs/blob/main/docs/core/tools/nuget-signed-package-verification.md
Document Version Independent Id
ccd7b834-2f46-7bff-fbd4-1409650da1cb
Article author
@dtivel
Metadata