Closed bradwilson closed 2 weeks ago
Hi @bradwilson, the Microsoft Time Stamping service is the default one if a different one isn't specified on the command line.
A different Time Stamping Service can be specified with the --timestamp-url
option.
@clairernovotny I understand that. My argument is that the default should be DigiCert until .NET SDK LTS supports validating against the Microsoft Time Stamping service. I can solve this just for xUnit.net, but my request is for the benefit of all .NET Foundation projects.
If my reading of https://github.com/dotnet/sdk/issues/33928#issuecomment-1641004542 is correct (and the .NET team does not intend to fix this), then it becomes even more important that this gets fixed on the .NET Foundation side for all of the foundation projects, IMO.
This issue is already impacting customers https://github.com/NuGet/Home/issues/12760
As of now, the Azure Code Signing timestamping service (http://timestamp.acs.microsoft.com) no longer includes a V1 attribute certificate which caused parsing problems (and NU3003) in NuGet clients using System.Security.Cryptography.Pkcs 5.0.0 - 6.0.0.
Describe the bug
The current sign service/client uses the Microsoft Time Stamp service, which is unsupported by the LTS version(s) of the .NET SDK (that is, 6.0.3xx, and until yesterday, 6.0.1xx). This is causing packages signed by this service to fail to install due to NU3003 errors.
This is broken on all supported OSes: Windows, Linux, and macOS.
For more information, see https://github.com/dotnet/sdk/issues/33928.
Repro steps
dotnet nuget verify --all xunit.2.5.0.nupkg
Expected behavior
NuGet packages signed by this service should be verifiable and installable by LTS versions of the .NET SDK. Screenshot shown with 6.0.412 (which does work, but is not LTS):
Actual behavior
NuGet packages signed by this service cause NU3003 errors with LTS versions of the .NET SDK. Screenshot shown with 6.0.315 (which does not work, but is LTS):
Additional context
sign --version
.dotnet --info
.Screenshots above show this information.