Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Order of trustedSigners in config file affects trust evaluation #7572

Closed
rido-min opened this issue Dec 1, 2018 · 1 comment
Closed

Order of trustedSigners in config file affects trust evaluation #7572

rido-min opened this issue Dec 1, 2018 · 1 comment
Assignees
@PatoBeltran
Labels
Functionality:Install The install command in VS/nuget.exe Functionality:Restore Functionality:Signing Type:Bug
Milestone
4.9.3

Comments

@rido-min
Copy link

rido-min commented Dec 1, 2018

I'm using the next config file

<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>
  <config>
    <add key="signatureValidationMode" value="require" />
  </config>
  <trustedSigners>
    <repository name="NuGet.org" serviceIndex="https://api.nuget.org/v3/index.json">
        <certificate fingerprint="0e5f38f57dc1bcc806d8494f4f90fbcedd988b46760709cbeec6f4219aa6157d" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
        <owners>Microsoft</owners>
      </repository>
      <author name="msAuthor">
      <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    </author>
  </trustedSigners>
</configuration>

To install the next package

nuget.exe install system.buffers

but it fails with

NU3034: Package 'System.Buffers 4.5.0' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.

however if I change the order in the configuration file, and move the author element first, then the install succeeds.

/cc @PatoBeltran @dtivel
@PatoBeltran PatoBeltran self-assigned this Dec 3, 2018
@PatoBeltran PatoBeltran mentioned this issue Dec 4, 2018
Merged
@PatoBeltran PatoBeltran added this to the 4.9.x milestone Dec 10, 2018
@PatoBeltran
Copy link

This has been merged into 4.9.3 and dev.

@rrelyea rrelyea modified the milestones: 4.9.x, 4.9.3 Dec 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PatoBeltran PatoBeltran

Labels
Functionality:Install The install command in VS/nuget.exe Functionality:Restore Functionality:Signing Type:Bug
Projects
None yet
Milestone
4.9.3
Development

No branches or pull requests
3 participants
@PatoBeltran @rrelyea @rido-min