Description
The new --skip-sign-check flag for workloads is bypassing some package validation. MSI signature verification is fine. The information is not being passed to the downloader.
Customer Impact
When performing a workload command, NuGet package signatures are not verified. This only impacts Windows. MSI signature verification is not impacted.
Regression
Yes
Testing
Manual. It requires dotnet.dll to be signed with proper certificate. The test plan for workloads will be updated to include a scenario that covers signature verification for workloads.
Risk
The fix is relatively low risk as an additional parameter just need to be passed through from the various commands. It will require some refactoring to ensure that duplicated code in various workload commands are moved to a common base class to handle package downloads/verification in a consistent fashion.
Description
The new
--skip-sign-checkflag for workloads is bypassing some package validation. MSI signature verification is fine. The information is not being passed to the downloader.Customer Impact
When performing a workload command, NuGet package signatures are not verified. This only impacts Windows. MSI signature verification is not impacted.
Regression
Yes
Testing
Manual. It requires dotnet.dll to be signed with proper certificate. The test plan for workloads will be updated to include a scenario that covers signature verification for workloads.
Risk
The fix is relatively low risk as an additional parameter just need to be passed through from the various commands. It will require some refactoring to ensure that duplicated code in various workload commands are moved to a common base class to handle package downloads/verification in a consistent fashion.