Author Package Signing

[rido-min]

Status: Reviewed

Spec for this feature is available here: https://github.com/NuGet/Home/wiki/Author-Package-Signing

Discussion should happen on this issue. Please link other issues with similar asks to this one

[clairernovotny]

Related discussion leading up to the proposal above: #1882

[maartenba]

And the technical spec if anyone is interested: https://github.com/NuGet/Home/wiki/Package-Signatures-Technical-Details

(not much to see there so far)

[maartenba]

So I read the spec, and found this mention:
Signed packages will not be strictly required by NuGet.org or NuGet.exe.

What does this mean for Visual Studio and other IDE's?

[rido-min]

@maartenba one of the design goals is to maintain backwards compatibility with existing clients. We are not planning to require signed packages in NuGet.org, NuGet.exe or Visual Studio.

I'm updating the spec to clarify.

Thanks for the feedback !!

[rido-min]

Spec Update: After additional feedback, we have decided to do not show any visual indicator for signed packages.

[clairernovotny]

@rido-min does it at least show the subject from the certificate as the author instead of what's in the metadata (which could be anything)?

[rido-min]

@onovotny

does it at least show the subject from the certificate ?

We are not planning to introduce any changes in the UI in stage 1, however, we acknowledge we need to improve how we report package authorship, today we are showing authors in VS and owners in NuGet.org and we would like to have a consistent experience.

[clairernovotny]

For stage 1, sure...I certainly hope that this changes later on though as I believe it's critical to show the subject name from the certificate conspicuously in the UI's.

[asbjornu]

The spec says:

NuGet packages can be signed with an embedded signature based on X.509 code signing certificates.

As expressed by both me and others elsewhere, I think it's a mistake to not use GPG/PGP, at least as an alternative to X.509 certificates.

[rido-min]

Hi @asbjornu , we evaluated the use of GPG vs. X509, and finally decided to use X509, here are the main reasons:

1. Windows does not support GPG natively. In Windows 10 we could use WSL or Git Bash, but that is an extra dependency we would like to avoid.
2. .NET does not support GPG natively. Sure, we can write the code to support it, but we want to design NuGet on top of existing APIs.
3. GPG does not have a good solution for revoked keys

X509 solves all: It has been supported in Windows, it has a well known .NET API and has a good revocation story based on Public CAs.

We know that requiring Code signing public CA certificates (that cost money) could be an important impediment for users, and we are looking to support Self signed certificates, although we have not finalized the design yet, it’s definitely in our roadmap.

Thank you very much for your feedback,
Rido

[ferventcoder]

It's not a versus IMHO. At Chocolatey we are considering both. X509 makes sense for organizational use, GPG makes sense for community and traceability.

[SidShetye]

@rido-min For non-commercial projects, I can see code signing certificate costs being a hurdle. I think https://www.nuget.org/account should have a section to generate/issue X.509 code signing certificates. In other words, Microsoft should assume CA responsibilities to support it's own community.

[rido-min]

@SidShetye NuGet.org will sign all (existing and new) packages with a NuGet.org certificate, you can read more about this feature here.

Additionally, for author signatures, the .NET foundation offers free code signing certificates.

Thanks for your feedback,
Rido

[mishra14]

Closing as Author signing has been completed as planned in 15.7