You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In March 2022, I confirmed with Apple developer technical support that Apple had recently updated macOS's X.509 distrust model to explicitly distrust the intermediate certificate in the Symantec timestamping certificate chain used to timestamp NuGet.org packages.
When chain building the end certificate using macOS's default system trust store, the certificate chain validates successfully as trusted; however, the built chain terminates at the intermediate instead of the root.
When chain building the end certificate with custom trust anchors (including the timestamping root), macOS's distrust model overrides the implicit, transitive trust on the intermediate conferred by the explicit, contextual trust on the root. The end result is that certificate chain building fails with explicit distrust.
None of the solutions considered is attractive at this time, so we’re postponing macOS support for NuGet signed package verification during restore operations for the foreseeable future. Signed package verification is still possible using the dotnet nuget verify command.
NuGet Product Used
dotnet.exe
Product Version
.NET 5 SDK+
Worked before?
No response
Impact
Other
Repro Steps & Context
In March 2022, I confirmed with Apple developer technical support that Apple had recently updated macOS's X.509 distrust model to explicitly distrust the intermediate certificate in the Symantec timestamping certificate chain used to timestamp NuGet.org packages.
When chain building the end certificate using macOS's default system trust store, the certificate chain validates successfully as trusted; however, the built chain terminates at the intermediate instead of the root.
When chain building the end certificate with custom trust anchors (including the timestamping root), macOS's distrust model overrides the implicit, transitive trust on the intermediate conferred by the explicit, contextual trust on the root. The end result is that certificate chain building fails with explicit distrust.
None of the solutions considered is attractive at this time, so we’re postponing macOS support for NuGet signed package verification during restore operations for the foreseeable future. Signed package verification is still possible using the
dotnet nuget verify
command.Relevant timestamping certificate chains:
Verbose Logs
No response
The text was updated successfully, but these errors were encountered: