search

dotnet / sign

Code Signing CLI tool supporting Authenticode, NuGet, VSIX, and ClickOnce
MIT License
448 stars 84 forks source link

Manually execute NuGet's .NET SDK integration tests for signing #623

Closed dtivel closed 1 year ago

dtivel commented 1 year ago

NuGet.Client's Dotnet.Integration.Test project contains the following signing-related tests. Where it makes sense, I'll rerun these tests manually by signing with Sign CLI and then verifying with NuGet in the .NET SDK.

Test Result
DotnetSign_ResignPackageWithoutOverwrite_FailsAsync ✔️ Sign CLI always overwrites, so the expected results between NuGet and Sign CLI are different. That said, Sign CLI behaves as expected.
DotnetSign_ResignPackageWithOverwrite_SuccessAsync ✔️ same as above
DotnetSign_SignPackageWithExpiredCertificate_FailsAsync ➖ It's not possible to sign with an expired certificate in Sign CLI; Azure Key Vault automatically renews certificates.
DotnetSign_SignPackageWithInvalidEku_FailsAsync ✔️ Like NuGet, Sign CLI fails with an error like NU3018: NotValidForUsage: The certificate is not valid for the requested usage.
DotnetSign_SignPackageWithNotYetValidCertificate_FailsAsync ➖ It's not possible to sign with a not-yet-valid certificate in Sign CLI, because you cannot create one in Azure Key Vault.
DotnetSign_SignPackageWithOutputDirectory_SucceedsAsync ➖ Does not apply to Sign CLI.
DotnetSign_SignPackageWithOverwrite_SuccessAsync ✔️ Like NuGet, Sign CLI succeeds.
DotnetSign_SignPackageWithPfxFile_SuccessAsync ➖ Does not apply to Sign CLI.
DotnetSign_SignPackageWithPfxFileOfRelativePath_SuccessAsync ➖ Does not apply to Sign CLI.
DotnetSign_SignPackageWithPfxFileWithoutPasswordAndWithNonInteractive_FailsAsync ➖ Does not apply to Sign CLI.
DotnetSign_SignPackageWithRevokedLeafCertChain_FailsAsync ➖ Not feasible to test this with Sign CLI.
DotnetSign_SignPackageWithTimestamping_SucceedsAsync ✔️ Like NuGet, Sign CLI succeeds.
DotnetSign_SignPackageWithTrustedCertificate_SucceedsAsync ✔️ Like NuGet, Sign CLI succeeds.
DotnetSign_SignPackageWithTrustedCertificateWithRelativePath_SucceedsAsync ➖ Does not apply to Sign CLI.
DotnetSign_SignPackageWithUnknownRevocationCertChain_SucceedsAsync ➖ Not feasible to test this with Sign CLI.
DotnetSign_SignPackageWithUnsuportedTimestampHashAlgorithm_FailsAsync ❌ Found https://github.com/dotnet/sign/issues/624
DotnetSign_SignPackageWithUntrustedSelfIssuedCertificateInCertificateStore_SuccessAsync ➖ Not feasible to test this with Sign CLI.

CC @clairernovotny