Signing: primary signature details not displayed when certificate expired and timestamp untrusted

[dtivel]

NuGet product used (NuGet.exe | Visual Studio | MSBuild.exe | dotnet.exe): NuGet.exe

Product version: 5.8.1.7021

Worked before? No. This reproes as early as 4.9.4.5839 and probably earlier (but did not verify).

Repro steps and/or sample project

1. Extract the contents of AuthorExpired.1.0.0.zip to your local drive.
2. Add AuthorExpired.1.0.0.nupkg.certificates\0.cer as a trusted root authority.
3. In a command prompt execute:

nuget.exe verify -all AuthorExpired.1.0.0.nupkg

Note: be sure to remove the trusted root authority added in step 2.

Expected results:

I expect to see:

• primary signature details
• a warning that the primary signature's certificate has expired
• timestamp signature details
• a warning or error that the primary signature's timestamp signature's certificate is untrusted

Actual results:

I see:

• timestamp signature details
• an error that the primary signature's timestamp signature's certificate is untrusted

Verifying AuthorExpired.1.0.0
E:\Trash\ClassLibrary3dfsdsf\packageSource\AuthorExpired.1.0.0\AuthorExpired.1.0.0.nupkg

Signature Hash Algorithm: SHA256
Timestamp: 2/3/2021 3:36:12 PM

Verifying author primary signature's timestamp with timestamping service certificate:
  Subject Name: CN=NuGet Test Root Certificate Authority (40998d55-3d73-4a3b-a689-55e30c1fac3c), O=NuGet, L=Redmond, S=WA, C=US
  SHA1 hash: 6B2378A3DC9CA185252BB66F24F262D129165B5B
  SHA256 hash: 61B18DE3D814FA7960C6ED62DB20BEA6D0F8D65F678464D7D7C9227E7D5DEFBD
  Issued by: CN=NuGet Test Root Certificate Authority (40998d55-3d73-4a3b-a689-55e30c1fac3c), O=NuGet, L=Redmond, S=WA, C=US
  Valid from: 2/3/2021 3:36:11 PM to 12/31/2099 4:00:00 PM

NU3028: The author primary signature's timestamp found a chain building issue: UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Finished with 1 errors and 0 warnings.

Package signature validation failed.

[kartheekp-ms]

@dtivel - I can reproduce this issue and assigned to myself. I have one quick question. Is it okay if the expected results are displayed in the following order?

• primary signature details
• timestamp signature details
• a warning or error that the primary signature's certificate has expired
• a warning or error that the primary signature's timestamp signature's certificate is untrusted

[dtivel]

Currently the order of details is:

• primary timestamp signature
• primary signature
• repository countersignature timestamp signature
• repository countersignature

If I recall correctly, warnings are interleaved but immediately after the pertinent signature.

I'm OK with reordering timestamp signatures after their timestamped signature and moving all warnings to the end. Correct me if I'm mistaken, but I don't think it's necessary to fix this issue though. I would prefer if we had a separate issue and PR for changing the order. Docs may need to be updated as well. This issue can depend on that one.

[kartheekp-ms]

Correct me if I'm mistaken, but I don't think it's necessary to fix this issue though. I would prefer if we had a separate issue and PR for changing the order. Docs may need to be updated as well. This issue can depend on that one.

I am working on #10466 spec to improve the log messages displayed for every verbosity level of dotnet nuget verify command. There are few review comments in the spec for e.g.,1 & 2 to improve log message considering recent Debian issue. Hence, I thought of fixing this issue as it was related to log messages. I will be happy to create separate issues for tracking docs work if you are okay with my approach.