Nuget.org: Signed packages must only have an author signature. Other signature types are not supported.

[dylrich]

Hi! I have started investigating using the new nuget signing functionality in jsign. I am able to sign nuget packages successfully and have dotnet nuget verify ./package.nupkg succeed. However, when I go to upload my package to nuget.org, it fails the async validation and gives the following error:

Package publishing failed. This package could not be published due to the following reason(s):

    Signed packages must only have an author signature. Other signature types are not supported.

Once you've fixed the issue with your package, you can reupload it with the same ID and version. 

I'm not able to share the nuget package file that I signed, but it seems like this is easily reproducible with any Authenticode certificate while using the latest jsign from master. It seems like nuget.org has extra requirements for the signature format that regrettably aren't taken into account with Microsoft's other tooling. It doesn't really seem like jsign's fault here, but it'd be nice if jsign could be adjusted to work with nuget.org given that it's an officially supported repository.

[ebourg]

Thank you for reporting this issue. I'm not sure to understand why nuget.org thinks the signature is not an author signature.

The signature requirements are listed here: https://learn.microsoft.com/en-us/nuget/reference/signed-packages-reference#signature-requirements-on-nugetorg

• The primary signature must be an author signature.
• The primary signature must have a single valid timestamp.
• The X.509 certificates for both the author signature and its timestamp signature:
  • Must have an RSA public key 2048 bits or greater.
  • Must be within its validity period per current UTC time at time of package validation on nuget.org.
  • Must chain to a trusted root authority that is trusted by default on Windows. Packages signed with self-issued certificates are rejected.
  • Must be valid for its purpose:
  • The author signing certificate must be valid for code signing.
  • The timestamp certificate must be valid for timestamping.
  • Must not be revoked at signing time. (This may not be knowable at submission time, so nuget.org periodically rechecks revocation status).

Maybe one of these requirements wasn't fulfilled with your signature? Was it timestamped for example?

[dylrich]

The signature is indeed timestamped and I am able to use the same certificate with https://github.com/dotnet/sign to successfully sign and publish a package, so I don't think there is an issue with our certificate.

[ebourg]

I got another look at the specification, and author signatures are expected to have a commitment-type-indication attribute set to id-cti-ets-proofOfOrigin which is not added by Jsign.

[dylrich]

I noticed that as well while viewing the same document and couldn't find that string while browsing the Jsign source! I'm not sure how challenging that is to fix, but I am able to test any commits if you'd like.

[dylrich]

@ebourg I attempted this locally, and I was able to add commitment-type-indication, but it seems like signing-certificate-v2 is also required.

[ebourg]

I've added the two attributes, could you give it a try please?

[dylrich]

@ebourg It appears that nuget.org happily accepts packages signed by jsign now! Thank you so much!

[ebourg]

Great! Thank you for testing.