NuGetPackageDownloader: Stop verifying the package signature on Mac and queue off of the environment on Linux#47321
Conversation
023840e to
2cd84a8
Compare
There was a problem hiding this comment.
PR Overview
This PR updates the NuGetPackageDownloader to disable signature verification on macOS and Linux by ensuring that the _verifySignatures flag is only true when running on Windows.
- Added documentation comments to describe the temporary disabling of signature verification on non-Windows OSes.
- Updated the constructor to combine the verifySignatures parameter with an OperatingSystem check.
Reviewed Changes
| File | Description |
|---|---|
| src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs | Modified _verifySignatures initialization to disable signature verification on macOS and Linux; added documentation comments explaining the change. |
Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.
src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs
Outdated
Show resolved
Hide resolved
| _retryTimer = timer; | ||
| _sourceRepositories = new(); | ||
| _verifySignatures = verifySignatures; | ||
| _verifySignatures = OperatingSystem.IsWindows() && verifySignatures; // This is temporarily disabled for macOS and Linux. |
There was a problem hiding this comment.
@dtivel should signature verification on linux be kept and only Mac disabled?
There was a problem hiding this comment.
It looks like we should enable it on Linux based on this doc https://learn.microsoft.com/en-us/dotnet/core/tools/nuget-signed-package-verification#linux. However, there is also an environment variable which seems to control this, so maybe we should base the check off the environment variable. I assume this is OFF by default on Mac, but that doesn't seem to be the case based on the code below. If we don't respect DOTNET_NUGET_SIGNATURE_VERIFICATION, this may be a breaking change since it impacts more than dotnet tool.
We have some logic for this
but that just forwards the environment variable to NuGet. I assume they do most of the processing. @dtivel Should this logic to turn it on by default only be true on Linux and Windows, which also might fix this bug?There was a problem hiding this comment.
Ok this code ignores the env var if its not linux.
Its possible that A - did this environment variable never work correctly? And nobody realized because nobody is using it as true on mac because it doesn't work anyway, and maybe its enabled by default somewhere else on Windows.
B- the point of that class is not to be a source of truth for the verification enablement but just a way to enable it by default on Linux without touching other stuff
We'd still have to respect it on Linux, though
There was a problem hiding this comment.
Matching NuGet's signed package verification support is sensible.
- Always enabled on Windows.
DOTNET_NUGET_SIGNATURE_VERIFICATIONis ignored. - Enabled on Linux by default. Users can opt out by setting
DOTNET_NUGET_SIGNATURE_VERIFICATIONtofalse. - Disabled on macOS by default. Users can opt in by setting
DOTNET_NUGET_SIGNATURE_VERIFICATIONtotrue, but this is neither recommended nor supported.
https://github.com/dotnet/sdk/blob/main/src/Cli/dotnet/NuGetSignatureVerificationEnabler.cs does the work of enabling on Linux by default.
https://github.com/NuGet/NuGet.Client/blob/594bfe4554893a7364d9ec1d31a22574fba3115c/src/NuGet.Core/NuGet.Packaging/PackageArchiveReader.cs#L519-L557 is where NuGet respects the environment variable. The problem is that FirstPartyNuGetPackageSigningVerifier opens a package and verifies its signature without checking if it's safe to verify signatures.
You should perform this "can verify signatures" check before deciding that you to verify signatures or you risk deviating from what NuGet supports.
There was a problem hiding this comment.
Thank you for the context. I think for this change, a reasonable option would then be to enable it if on windows || by checking the NuGetSignatureVerificationEnabler.cs
on linux to see if it should be turned on, on linux.
Then in the future we could improve the rest of this like mentioned above.
There was a problem hiding this comment.
Yes, that seems reasonable.
PackageArchiveReader.CanVerifySignedPackages(...) is a bit inconvenient. It doesn't access instance members and could have been a static method somewhere. You could open an issue on NuGet/Home for a more convenient "is signed package verification enabled" method.
There was a problem hiding this comment.
Sounds good. I just didn't want to disable this check on Linux if it were working as that would be a security takeback.
Forgind
left a comment
There was a problem hiding this comment.
...other than the linux thing
src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs
Outdated
Show resolved
Hide resolved
src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs
Outdated
Show resolved
Hide resolved
Co-authored-by: Noah Gilson <OTAKUPENGUINOP@GMAIL.COM>
Co-authored-by: Forgind <12969783+Forgind@users.noreply.github.com>
7e3beb0 to
8b6ec3a
Compare
|
/backport to release/10.0.xx-preview2 |
|
Started backporting to release/10.0.xx-preview2: https://github.com/dotnet/sdk/actions/runs/13794782769 |
|
@edvilme an error occurred while backporting to "release/10.0.xx-preview2", please check the run log for details! Error: The specified backport target branch "release/10.0.xx-preview2" wasn't found in the repo. |
|
/backport to release/10.0.1xx-preview2 |
|
Started backporting to release/10.0.1xx-preview2: https://github.com/dotnet/sdk/actions/runs/13794799185 |
|
@edvilme backporting to "release/10.0.1xx-preview2" failed, the patch most likely resulted in conflicts: $ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch
Applying: NuGetPackageDownloader: Only verify signing on windows
Applying: Update comments
error: sha1 information is lacking or useless (src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs).
error: could not build fake ancestor
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0002 Update comments
Error: The process '/usr/bin/git' failed with exit code 128Please backport manually! |
…tnet#47321) Co-authored-by: Noah Gilson <OTAKUPENGUINOP@GMAIL.COM> Co-authored-by: Forgind <12969783+Forgind@users.noreply.github.com>
…ws by default (#47321) NuGetPackageDownloader: Only verify signing on windows by default (#47321) Co-authored-by: Noah Gilson <OTAKUPENGUINOP@GMAIL.COM> Co-authored-by: Forgind <12969783+Forgind@users.noreply.github.com> ---- #### AI description (iteration 1) #### PR Classification Bug fix to ensure package signing verification is only performed on Windows by default. #### PR Summary This pull request modifies the `NuGetPackageDownloader` to verify package signing only on Windows by default, with an option to enable it on other operating systems via an environment variable. - `src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs`: Added logic to conditionally verify package signatures based on the operating system and environment variable. Introduced error handling to delete the package file if verification fails. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
Fixes #46857
Customer Scenario
dotnet tool install/restore is checking the package signature on Mac with 9.0.200. However, we shouldn't be doing that as macos doesn't fully support the signature store that nuget uses to verify signatures. This is already disabled for nuget restore.
Fix
Match the logic NuGet uses where we are always on for windows, default off for Mac, default on for Linux, and honor the env variable to override the values.
Justification
There are half a dozen customer comments on the linked issues saying they are blocked in 9.0.200.