-
Notifications
You must be signed in to change notification settings - Fork 690
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signing: enable signed package verification on Linux by default in .N…
…ET 6 SDK (#4706) Fix NuGet/Home#11264 and NuGet/Home#11263.
- Loading branch information
Showing
57 changed files
with
9,096 additions
and
286 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 3 additions & 1 deletion
4
src/NuGet.Core/NuGet.Packaging/PublicAPI/net472/PublicAPI.Unshipped.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
NuGet.Packaging.Licenses.NuGetLicenseExpressionParsingException.NuGetLicenseExpressionParsingException(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) -> void | ||
NuGet.Packaging.Licenses.NuGetLicenseExpressionParsingException.NuGetLicenseExpressionParsingException(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) -> void | ||
NuGet.Packaging.Signing.X509TrustStore | ||
static NuGet.Packaging.Signing.X509TrustStore.InitializeForDotNetSdk(NuGet.Common.ILogger logger) -> void |
4 changes: 3 additions & 1 deletion
4
src/NuGet.Core/NuGet.Packaging/PublicAPI/netcoreapp5.0/PublicAPI.Unshipped.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
NuGet.Packaging.Licenses.NuGetLicenseExpressionParsingException.NuGetLicenseExpressionParsingException(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) -> void | ||
NuGet.Packaging.Licenses.NuGetLicenseExpressionParsingException.NuGetLicenseExpressionParsingException(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) -> void | ||
NuGet.Packaging.Signing.X509TrustStore | ||
static NuGet.Packaging.Signing.X509TrustStore.InitializeForDotNetSdk(NuGet.Common.ILogger logger) -> void |
4 changes: 3 additions & 1 deletion
4
src/NuGet.Core/NuGet.Packaging/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
NuGet.Packaging.Licenses.NuGetLicenseExpressionParsingException.NuGetLicenseExpressionParsingException(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) -> void | ||
NuGet.Packaging.Licenses.NuGetLicenseExpressionParsingException.NuGetLicenseExpressionParsingException(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) -> void | ||
NuGet.Packaging.Signing.X509TrustStore | ||
static NuGet.Packaging.Signing.X509TrustStore.InitializeForDotNetSdk(NuGet.Common.ILogger logger) -> void |
63 changes: 63 additions & 0 deletions
63
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/CertificateBundleX509ChainFactory.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
// Copyright (c) .NET Foundation. All rights reserved. | ||
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. | ||
|
||
#if NET5_0_OR_GREATER | ||
|
||
using System; | ||
using System.IO; | ||
using System.Security.Cryptography; | ||
using System.Security.Cryptography.X509Certificates; | ||
|
||
namespace NuGet.Packaging.Signing | ||
{ | ||
internal abstract class CertificateBundleX509ChainFactory : IX509ChainFactory | ||
{ | ||
public X509Certificate2Collection Certificates { get; } | ||
public string FilePath { get; } | ||
|
||
protected CertificateBundleX509ChainFactory(X509Certificate2Collection certificates, string filePath = null) | ||
{ | ||
Certificates = certificates; | ||
FilePath = filePath; | ||
} | ||
|
||
public X509Chain Create() | ||
{ | ||
X509Chain x509Chain = new(); | ||
|
||
x509Chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; | ||
|
||
if (Certificates is not null && Certificates.Count > 0) | ||
{ | ||
x509Chain.ChainPolicy.CustomTrustStore.AddRange(Certificates); | ||
} | ||
|
||
return x509Chain; | ||
} | ||
|
||
protected static bool TryImportFromPemFile(string filePath, out X509Certificate2Collection certificates) | ||
{ | ||
certificates = new X509Certificate2Collection(); | ||
|
||
try | ||
{ | ||
certificates.ImportFromPemFile(filePath); | ||
|
||
return true; | ||
} | ||
catch (Exception ex) when | ||
( | ||
ex is CryptographicException || | ||
ex is FileNotFoundException || | ||
ex is DirectoryNotFoundException | ||
) | ||
{ | ||
certificates.Clear(); | ||
} | ||
|
||
return false; | ||
} | ||
} | ||
} | ||
|
||
#endif |
15 changes: 15 additions & 0 deletions
15
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/DotNetDefaultTrustStoreX509ChainFactory.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
// Copyright (c) .NET Foundation. All rights reserved. | ||
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. | ||
|
||
using System.Security.Cryptography.X509Certificates; | ||
|
||
namespace NuGet.Packaging.Signing | ||
{ | ||
internal sealed class DotNetDefaultTrustStoreX509ChainFactory : IX509ChainFactory | ||
{ | ||
public X509Chain Create() | ||
{ | ||
return new X509Chain(); | ||
} | ||
} | ||
} |
55 changes: 55 additions & 0 deletions
55
...uGet.Core/NuGet.Packaging/Signing/TrustStore/FallbackCertificateBundleX509ChainFactory.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
// Copyright (c) .NET Foundation. All rights reserved. | ||
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. | ||
|
||
#if NET5_0_OR_GREATER | ||
|
||
using System; | ||
using System.IO; | ||
using System.Security.Cryptography.X509Certificates; | ||
using System.Threading; | ||
|
||
namespace NuGet.Packaging.Signing | ||
{ | ||
internal sealed class FallbackCertificateBundleX509ChainFactory : CertificateBundleX509ChainFactory | ||
{ | ||
// These constants are dictated by the .NET SDK. | ||
internal const string SubdirectoryName = "trustedroots"; | ||
internal const string FileName = "codesignctl.pem"; | ||
|
||
private static readonly Lazy<string> ThisAssemblyDirectoryPath = new(GetThisAssemblyDirectoryPath, LazyThreadSafetyMode.ExecutionAndPublication); | ||
|
||
private FallbackCertificateBundleX509ChainFactory(X509Certificate2Collection certificates, string filePath) | ||
: base(certificates, filePath) | ||
{ | ||
} | ||
|
||
internal static bool TryCreate(out FallbackCertificateBundleX509ChainFactory factory, string fileName = FileName) | ||
{ | ||
factory = null; | ||
|
||
string fullFilePath = Path.Combine( | ||
ThisAssemblyDirectoryPath.Value, | ||
SubdirectoryName, | ||
fileName ?? FileName); | ||
|
||
if (TryImportFromPemFile(fullFilePath, out X509Certificate2Collection certificates)) | ||
{ | ||
factory = new FallbackCertificateBundleX509ChainFactory(certificates, fullFilePath); | ||
|
||
return true; | ||
} | ||
|
||
return false; | ||
} | ||
|
||
private static string GetThisAssemblyDirectoryPath() | ||
{ | ||
string location = typeof(FallbackCertificateBundleX509ChainFactory).Assembly.Location; | ||
FileInfo thisAssembly = new(location); | ||
|
||
return thisAssembly.DirectoryName; | ||
} | ||
} | ||
} | ||
|
||
#endif |
12 changes: 12 additions & 0 deletions
12
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/IX509ChainFactory.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
// Copyright (c) .NET Foundation. All rights reserved. | ||
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. | ||
|
||
using System.Security.Cryptography.X509Certificates; | ||
|
||
namespace NuGet.Packaging.Signing | ||
{ | ||
internal interface IX509ChainFactory | ||
{ | ||
X509Chain Create(); | ||
} | ||
} |
19 changes: 19 additions & 0 deletions
19
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/NoCertificateBundleX509ChainFactory.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
// Copyright (c) .NET Foundation. All rights reserved. | ||
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. | ||
|
||
#if NET5_0_OR_GREATER | ||
|
||
using System.Security.Cryptography.X509Certificates; | ||
|
||
namespace NuGet.Packaging.Signing | ||
{ | ||
internal sealed class NoCertificateBundleX509ChainFactory : CertificateBundleX509ChainFactory | ||
{ | ||
internal NoCertificateBundleX509ChainFactory() | ||
: base(new X509Certificate2Collection()) | ||
{ | ||
} | ||
} | ||
} | ||
|
||
#endif |
49 changes: 49 additions & 0 deletions
49
src/NuGet.Core/NuGet.Packaging/Signing/TrustStore/SystemCertificateBundleX509ChainFactory.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
// Copyright (c) .NET Foundation. All rights reserved. | ||
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. | ||
|
||
#if NET5_0_OR_GREATER | ||
|
||
using System.Collections.Generic; | ||
using System.Security.Cryptography.X509Certificates; | ||
|
||
namespace NuGet.Packaging.Signing | ||
{ | ||
internal sealed class SystemCertificateBundleX509ChainFactory : CertificateBundleX509ChainFactory | ||
{ | ||
internal static readonly IReadOnlyList<string> ProbePaths = new[] | ||
{ | ||
"/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem" | ||
}; | ||
|
||
private SystemCertificateBundleX509ChainFactory(X509Certificate2Collection certificates, string filePath) | ||
: base(certificates, filePath) | ||
{ | ||
} | ||
|
||
internal static bool TryCreate(out SystemCertificateBundleX509ChainFactory factory) | ||
{ | ||
return TryCreate(ProbePaths, out factory); | ||
} | ||
|
||
// For testing purposes only. | ||
internal static bool TryCreate(IReadOnlyList<string> probePaths, out SystemCertificateBundleX509ChainFactory factory) | ||
{ | ||
factory = null; | ||
|
||
foreach (string probePath in probePaths) | ||
{ | ||
if (TryImportFromPemFile(probePath, out X509Certificate2Collection certificates) | ||
&& certificates.Count > 0) | ||
{ | ||
factory = new SystemCertificateBundleX509ChainFactory(certificates, probePath); | ||
|
||
return true; | ||
} | ||
} | ||
|
||
return false; | ||
} | ||
} | ||
} | ||
|
||
#endif |
Oops, something went wrong.