search

dotnet / sign

Code Signing CLI tool supporting Authenticode, NuGet, VSIX, and ClickOnce
MIT License
447 stars 84 forks source link

Revert usage of Microsoft Time Stamp service until it's supported by LTS .NET SDK #638

Closed bradwilson closed 2 weeks ago

bradwilson commented 11 months ago

Describe the bug

The current sign service/client uses the Microsoft Time Stamp service, which is unsupported by the LTS version(s) of the .NET SDK (that is, 6.0.3xx, and until yesterday, 6.0.1xx). This is causing packages signed by this service to fail to install due to NU3003 errors.

This is broken on all supported OSes: Windows, Linux, and macOS.

For more information, see https://github.com/dotnet/sdk/issues/33928.

Repro steps

  1. Install and use .NET SDK 6.0.315 (latest LTS version as of this writing): https://dotnet.microsoft.com/en-us/download/dotnet/6.0
  2. Download xunit package version 2.5.0: https://www.nuget.org/api/v2/package/xunit/2.5.0
  3. Run dotnet nuget verify --all xunit.2.5.0.nupkg

Expected behavior

NuGet packages signed by this service should be verifiable and installable by LTS versions of the .NET SDK. Screenshot shown with 6.0.412 (which does work, but is not LTS):

image

Actual behavior

NuGet packages signed by this service cause NU3003 errors with LTS versions of the .NET SDK. Screenshot shown with 6.0.315 (which does not work, but is LTS):

image

Additional context

0.9.1-beta.23203.3+cfa7ec80dfe43e2ff7312edd4c1aca4adab727bd

Screenshots above show this information.

clairernovotny commented 11 months ago

Hi @bradwilson, the Microsoft Time Stamping service is the default one if a different one isn't specified on the command line.

A different Time Stamping Service can be specified with the --timestamp-url option.

bradwilson commented 11 months ago

@clairernovotny I understand that. My argument is that the default should be DigiCert until .NET SDK LTS supports validating against the Microsoft Time Stamping service. I can solve this just for xUnit.net, but my request is for the benefit of all .NET Foundation projects.

bradwilson commented 11 months ago

If my reading of https://github.com/dotnet/sdk/issues/33928#issuecomment-1641004542 is correct (and the .NET team does not intend to fix this), then it becomes even more important that this gets fixed on the .NET Foundation side for all of the foundation projects, IMO.

kartheekp-ms commented 11 months ago

This issue is already impacting customers https://github.com/NuGet/Home/issues/12760

dtivel commented 10 months ago

As of now, the Azure Code Signing timestamping service (http://timestamp.acs.microsoft.com) no longer includes a V1 attribute certificate which caused parsing problems (and NU3003) in NuGet clients using System.Security.Cryptography.Pkcs 5.0.0 - 6.0.0.