Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make verify command consider default nuget.config file and nuget.config option #4396

Merged
merged 15 commits into from
Jan 26, 2022
Merged

Make verify command consider default nuget.config file and nuget.config option #4396

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
25d6041
Add nuget.config file option for dotnet nuget verify
erdembayar Jan 6, 2022
e7dccd3
Address PR comment
erdembayar Jan 10, 2022
4563b0e
Address comment
erdembayar Jan 10, 2022
dd186a7
Rename load setting method to GetSettingsForCurrentWorkingDirectory
erdembayar Jan 11, 2022
2b4fd91
Leverage existing code for finding allowUntrustedRootList from nuget.…
erdembayar Jan 12, 2022
c37f575
Add owner verification.
erdembayar Jan 14, 2022
328ef60
Address comments about tests
erdembayar Jan 18, 2022
fad5bb9
Address comments Damon
erdembayar Jan 19, 2022
f5f0313
Detect duplicate xml element being added.
erdembayar Jan 19, 2022
b96d082
Clean up
erdembayar Jan 19, 2022
87846fd
Address test reviews.
erdembayar Jan 21, 2022
0e2dd8b
Merge branch 'dev' into dev-eryondon-10774-DotnetVerifyNotUsingNugetC…
erdembayar Jan 21, 2022
1352e50
Merge branch 'dev' into dev-eryondon-10774-DotnetVerifyNotUsingNugetC…
erdembayar Jan 21, 2022
0d243bd
Add parameter name
erdembayar Jan 21, 2022
c26dade
Remove NU3018 checking due to MAC issue https://github.com/NuGet/Home…
erdembayar Jan 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/NuGet.Clients/NuGet.CommandLine/Commands/VerifyCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ public override Task ExecuteCommandAsync()
Verifications = GetVerificationTypes(),
PackagePaths = new[] { PackagePath },
CertificateFingerprint = CertificateFingerprint,
Logger = Console
Logger = Console,
Settings = Settings
};

switch (Verbosity)
Expand Down
2 changes: 1 addition & 1 deletion src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/DeleteCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ public static void Register(CommandLineApplication app, Func<ILogger> getLogger)
DefaultCredentialServiceUtility.SetupDefaultCredentialService(getLogger(), !interactive.HasValue());

#pragma warning disable CS0618 // Type or member is obsolete
PackageSourceProvider sourceProvider = new PackageSourceProvider(XPlatUtility.CreateDefaultSettings(), enablePackageSourcesChangedEvent: false);
PackageSourceProvider sourceProvider = new PackageSourceProvider(XPlatUtility.GetSettingsForCurrentWorkingDirectory(), enablePackageSourcesChangedEvent: false);
#pragma warning restore CS0618 // Type or member is obsolete

await DeleteRunner.Run(
Expand Down
2 changes: 1 addition & 1 deletion src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/LocalsCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ public static void Register(CommandLineApplication app, Func<ILogger> getLogger)
locals.OnExecute(() =>
{
var logger = getLogger();
var setting = XPlatUtility.CreateDefaultSettings();
var setting = XPlatUtility.GetSettingsForCurrentWorkingDirectory();

// Using both -clear and -list command options, or neither one of them, is not supported.
// We use MinArgs = 0 even though the first argument is required,
Expand Down
2 changes: 1 addition & 1 deletion src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/PushCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ public static void Register(CommandLineApplication app, Func<ILogger> getLogger)
}

#pragma warning disable CS0618 // Type or member is obsolete
var sourceProvider = new PackageSourceProvider(XPlatUtility.CreateDefaultSettings(), enablePackageSourcesChangedEvent: false);
var sourceProvider = new PackageSourceProvider(XPlatUtility.GetSettingsForCurrentWorkingDirectory(), enablePackageSourcesChangedEvent: false);
#pragma warning restore CS0618 // Type or member is obsolete

try
Expand Down
18 changes: 1 addition & 17 deletions src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Signing/TrustedSignersCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ private static async Task<int> ExecuteCommand(TrustCommand action,

try
{
ISettings settings = ProcessConfigFile(configFile.Value());
ISettings settings = XPlatUtility.ProcessConfigFile(configFile.Value());
nkolev92 marked this conversation as resolved.
Show resolved Hide resolved

var trustedSignersArgs = new TrustedSignersArgs()
{
Expand Down Expand Up @@ -337,21 +337,5 @@ private static TrustedSignersAction MapTrustEnumAction(TrustCommand trustCommand
return TrustedSignersAction.Add;
}
}

private static ISettings ProcessConfigFile(string configFile)
{
if (string.IsNullOrEmpty(configFile))
{
return XPlatUtility.CreateDefaultSettings();
}

var configFileFullPath = Path.GetFullPath(configFile);
var directory = Path.GetDirectoryName(configFileFullPath);
var configFileName = Path.GetFileName(configFileFullPath);
return Settings.LoadDefaultSettings(
directory,
configFileName,
machineWideSettings: new XPlatMachineWideSetting());
}
}
}
7 changes: 7 additions & 0 deletions src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Signing/VerifyCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
using Microsoft.Extensions.CommandLineUtils;
using NuGet.Commands;
using NuGet.Common;
using NuGet.Configuration;
using static NuGet.Commands.VerifyArgs;

namespace NuGet.CommandLine.XPlat
Expand Down Expand Up @@ -36,6 +37,11 @@ internal static void Register(CommandLineApplication app,
Strings.VerifyCommandCertificateFingerprintDescription,
CommandOptionType.MultipleValue);

CommandOption configFile = verifyCmd.Option(
"--configfile",
Strings.Option_ConfigFile,
CommandOptionType.SingleValue);

CommandOption verbosity = verifyCmd.Option(
"-v|--verbosity",
Strings.Verbosity_Description,
Expand All @@ -55,6 +61,7 @@ internal static void Register(CommandLineApplication app,
new List<Verification>() { Verification.Signatures };
args.CertificateFingerprint = fingerPrint.Values;
args.Logger = getLogger();
args.Settings = XPlatUtility.ProcessConfigFile(configFile.Value());
setLogLevel(XPlatUtility.MSBuildVerbosityToNuGetLogLevel(verbosity.Value()));

var runner = getCommandRunner();
Expand Down
20 changes: 17 additions & 3 deletions src/NuGet.Core/NuGet.CommandLine.XPlat/Utility/XPlatUtility.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.IO;
using Microsoft.Extensions.CommandLineUtils;

#if IS_CORECLR
using System.Runtime.InteropServices;
Expand Down Expand Up @@ -44,7 +42,7 @@ public static LogLevel MSBuildVerbosityToNuGetLogLevel(string verbosity)
}
}

public static ISettings CreateDefaultSettings()
public static ISettings GetSettingsForCurrentWorkingDirectory()
{
return Settings.LoadDefaultSettings(
Directory.GetCurrentDirectory(),
Expand All @@ -70,5 +68,21 @@ public static void SetUserAgent()
UserAgent.SetUserAgentString(new UserAgentStringBuilder("NuGet xplat"));
#endif
}

internal static ISettings ProcessConfigFile(string configFile)
{
if (string.IsNullOrEmpty(configFile))
{
return GetSettingsForCurrentWorkingDirectory();
}

var configFileFullPath = Path.GetFullPath(configFile);
var directory = Path.GetDirectoryName(configFileFullPath);
var configFileName = Path.GetFileName(configFileFullPath);
return Settings.LoadDefaultSettings(
directory,
configFileName,
machineWideSettings: new XPlatMachineWideSetting());
}
}
}
2 changes: 2 additions & 0 deletions src/NuGet.Core/NuGet.Commands/PublicAPI/net472/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@ NuGet.Commands.PackCollectorLogger.PackCollectorLogger(NuGet.Common.ILogger inne
NuGet.Commands.PackCommand.PackageSpecificWarningProperties
NuGet.Commands.PackCommand.PackageSpecificWarningProperties.PackageSpecificWarningProperties() -> void
static NuGet.Commands.PackCommand.PackageSpecificWarningProperties.CreatePackageSpecificWarningProperties(System.Collections.Generic.IDictionary<string, System.Collections.Generic.HashSet<(NuGet.Common.NuGetLogCode, NuGet.Frameworks.NuGetFramework)>> noWarnProperties) -> NuGet.Commands.PackCommand.PackageSpecificWarningProperties
NuGet.Commands.VerifyArgs.Settings.get -> NuGet.Configuration.ISettings
NuGet.Commands.VerifyArgs.Settings.set -> void
2 changes: 2 additions & 0 deletions src/NuGet.Core/NuGet.Commands/PublicAPI/netcoreapp5.0/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@ NuGet.Commands.PackCollectorLogger.PackCollectorLogger(NuGet.Common.ILogger inne
NuGet.Commands.PackCommand.PackageSpecificWarningProperties
NuGet.Commands.PackCommand.PackageSpecificWarningProperties.PackageSpecificWarningProperties() -> void
static NuGet.Commands.PackCommand.PackageSpecificWarningProperties.CreatePackageSpecificWarningProperties(System.Collections.Generic.IDictionary<string, System.Collections.Generic.HashSet<(NuGet.Common.NuGetLogCode, NuGet.Frameworks.NuGetFramework)>> noWarnProperties) -> NuGet.Commands.PackCommand.PackageSpecificWarningProperties
NuGet.Commands.VerifyArgs.Settings.get -> NuGet.Configuration.ISettings
NuGet.Commands.VerifyArgs.Settings.set -> void
2 changes: 2 additions & 0 deletions src/NuGet.Core/NuGet.Commands/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@ NuGet.Commands.PackCollectorLogger.PackCollectorLogger(NuGet.Common.ILogger inne
NuGet.Commands.PackCommand.PackageSpecificWarningProperties
NuGet.Commands.PackCommand.PackageSpecificWarningProperties.PackageSpecificWarningProperties() -> void
static NuGet.Commands.PackCommand.PackageSpecificWarningProperties.CreatePackageSpecificWarningProperties(System.Collections.Generic.IDictionary<string, System.Collections.Generic.HashSet<(NuGet.Common.NuGetLogCode, NuGet.Frameworks.NuGetFramework)>> noWarnProperties) -> NuGet.Commands.PackCommand.PackageSpecificWarningProperties
NuGet.Commands.VerifyArgs.Settings.get -> NuGet.Configuration.ISettings
NuGet.Commands.VerifyArgs.Settings.set -> void
18 changes: 18 additions & 0 deletions src/NuGet.Core/NuGet.Commands/Strings.Designer.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions src/NuGet.Core/NuGet.Commands/Strings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1142,4 +1142,10 @@ For more information, visit https://docs.nuget.org/docs/reference/command-line-r
<value>Project dependency '{0}' does not specify a version. Include a version for the dependency to ensure consistent restore results.</value>
<comment>0 - package id</comment>
</data>
<data name="Error_NoClientAllowList" xml:space="preserve">
<value>signatureValidationMode is set to require, so packages are allowed only if signed by trusted signers; however, no trusted signers were specified.</value>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love this warning message, but I imagine this PR is just copying the string from NuGet.packaging?

In particular, the so conjunction makes it too informal imo, but I'd love to see if others think we should change it (can be done independently too).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I copied this text from NuGet.Packing. Sure, I'm open for any suggestion or I can address later independently.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created follow up issue NuGet/Home#11518

</data>
<data name="Error_NoMatchingClientCertificate" xml:space="preserve">
<value>This package is signed but not by a trusted signer.</value>
</data>
</root>
7 changes: 6 additions & 1 deletion src/NuGet.Core/NuGet.Commands/VerifyCommand/VerifyArgs.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Text;
using NuGet.Common;
using NuGet.Configuration;

namespace NuGet.Commands
{
Expand Down Expand Up @@ -70,5 +70,10 @@ public string PackagePath
/// If not empty, signer certificate fingerprint must match one in this list
/// </summary>
public IEnumerable<string> CertificateFingerprint { get; set; }

/// <summary>
/// Loaded NuGet settings
/// </summary>
public ISettings Settings { get; set; }
}
}
22 changes: 20 additions & 2 deletions src/NuGet.Core/NuGet.Commands/VerifyCommand/VerifyCommandRunner.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ public async Task<int> ExecuteCommandAsync(VerifyArgs verifyArgs)
return packages;
});

ClientPolicyContext clientPolicyContext = ClientPolicyContext.GetClientPolicy(verifyArgs.Settings, verifyArgs.Logger);

// List of values passed through --certificate-fingerprint option read
var allowListEntries = verifyArgs.CertificateFingerprint.Select(fingerprint =>
new CertificateHashAllowListEntry(
VerificationTarget.Author | VerificationTarget.Repository,
Expand All @@ -60,10 +63,25 @@ public async Task<int> ExecuteCommandAsync(VerifyArgs verifyArgs)
var verifierSettings = SignedPackageVerifierSettings.GetVerifyCommandDefaultPolicy();
var verificationProviders = new List<ISignatureVerificationProvider>()
{
new IntegrityVerificationProvider(),
new SignatureTrustAndValidityVerificationProvider()
new IntegrityVerificationProvider()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed lines little bit make it more comparable to similar code in PackageRestore.

NuGet.Client/src/NuGet.Core/NuGet.Packaging/PackageExtractor.cs

Lines 998 to 1011 in b8fe2a0

var verificationProviders = new List<ISignatureVerificationProvider>()
{
new IntegrityVerificationProvider(),
};
verificationProviders.Add(
new AllowListVerificationProvider(
clientPolicyContext.AllowList,
requireNonEmptyAllowList: clientPolicyContext.Policy == SignatureValidationMode.Require,
emptyListErrorMessage: Strings.Error_NoClientAllowList,
noMatchErrorMessage: Strings.Error_NoMatchingClientCertificate));
IEnumerable<KeyValuePair<string, HashAlgorithmName>> allowUntrustedRootList = null;
if (clientPolicyContext.AllowList != null && clientPolicyContext.AllowList.Any())

};

// trustedSigners section >> Owners are considered here.
verificationProviders.Add(
new AllowListVerificationProvider(
clientPolicyContext.AllowList,
requireNonEmptyAllowList: clientPolicyContext.Policy == SignatureValidationMode.Require,
emptyListErrorMessage: Strings.Error_NoClientAllowList,
noMatchErrorMessage: Strings.Error_NoMatchingClientCertificate));

IEnumerable<KeyValuePair<string, HashAlgorithmName>> trustedSignerAllowUntrustedRootList = clientPolicyContext.AllowList?
.Where(c => c.AllowUntrustedRoot)
.Select(c => new KeyValuePair<string, HashAlgorithmName>(c.Fingerprint, c.FingerprintAlgorithm));

// trustedSigners section >> allowUntrustedRoot set true are considered here.
verificationProviders.Add(new SignatureTrustAndValidityVerificationProvider(trustedSignerAllowUntrustedRootList));

// List of values passed through --certificate-fingerprint option are considered here.
Copy link
Contributor Author

@erdembayar erdembayar Jan 18, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For verify action repository signing allow list not considered.

NuGet.Client/src/NuGet.Core/NuGet.Packaging/PackageExtractor.cs

Lines 1019 to 1029 in b8fe2a0

if (repositorySignatureInfo != null && repositorySignatureInfo.RepositoryCertificateInfos != null)
{
var repositoryAllowList = RepositorySignatureInfoUtility.GetRepositoryAllowList(repositorySignatureInfo.RepositoryCertificateInfos);
verificationProviders.Add(new AllowListVerificationProvider(
repositoryAllowList,
repositorySignatureInfo.AllRepositorySigned,
Strings.Error_NoRepoAllowList,
Strings.Error_NoMatchingRepositoryCertificate));
}

verificationProviders.Add(
new AllowListVerificationProvider(
allowListEntries,
Expand Down
Loading