-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Author Package Signing #5889
Comments
Related discussion leading up to the proposal above: #1882 |
And the technical spec if anyone is interested: https://github.com/NuGet/Home/wiki/Package-Signatures-Technical-Details (not much to see there so far) |
So I read the spec, and found this mention: What does this mean for Visual Studio and other IDE's? |
@maartenba one of the design goals is to maintain backwards compatibility with existing clients. We are not planning to require signed packages in NuGet.org, NuGet.exe or Visual Studio. I'm updating the spec to clarify. Thanks for the feedback !! |
Spec Update: After additional feedback, we have decided to do not show any visual indicator for signed packages. |
@rido-min does it at least show the subject from the certificate as the author instead of what's in the metadata (which could be anything)? |
We are not planning to introduce any changes in the UI in stage 1, however, we acknowledge we need to improve how we report package authorship, today we are showing authors in VS and owners in NuGet.org and we would like to have a consistent experience. |
For stage 1, sure...I certainly hope that this changes later on though as I believe it's critical to show the subject name from the certificate conspicuously in the UI's. |
The spec says:
As expressed by both me and others elsewhere, I think it's a mistake to not use GPG/PGP, at least as an alternative to X.509 certificates. |
Hi @asbjornu , we evaluated the use of GPG vs. X509, and finally decided to use X509, here are the main reasons:
X509 solves all: It has been supported in Windows, it has a well known .NET API and has a good revocation story based on Public CAs. We know that requiring Code signing public CA certificates (that cost money) could be an important impediment for users, and we are looking to support Self signed certificates, although we have not finalized the design yet, it’s definitely in our roadmap. Thank you very much for your feedback, |
It's not a versus IMHO. At Chocolatey we are considering both. X509 makes sense for organizational use, GPG makes sense for community and traceability. |
@rido-min For non-commercial projects, I can see code signing certificate costs being a hurdle. I think https://www.nuget.org/account should have a section to generate/issue X.509 code signing certificates. In other words, Microsoft should assume CA responsibilities to support it's own community. |
@SidShetye NuGet.org will sign all (existing and new) packages with a NuGet.org certificate, you can read more about this feature here. Additionally, for author signatures, the .NET foundation offers free code signing certificates. Thanks for your feedback, |
Closing as Author signing has been completed as planned in 15.7 |
Status: Reviewed
Spec for this feature is available here: https://github.com/NuGet/Home/wiki/Author-Package-Signing
Discussion should happen on this issue. Please link other issues with similar asks to this one
The text was updated successfully, but these errors were encountered: