[NuGet.org Bug]: Uploaded certificate is not properly validating package upload #10058
Comments
|
This seems to be working now, but I'm not 100% sure I know why, so I'm going to leave this open so that someone can review logs and see what happened. If the problem turns out to be that there is a required time lag between certificate upload and usability, that needs to be very strongly highlighted in the certificate UI so that users can have their expectations set appropriately. |
|
There is a suggestion that there is some hard-coded logic in NuGet related to |
|
Could you please send us support request from https://www.nuget.org/policies/Contact after logging into nuget.org? |
|
One possible scenario is to have two accounts, one personal and the other organizational. If you upload the certificate using the personal account but push the package using the organizational account(or vice versa), you might experience the above problem. |
|
I already gave you all the information you're asking for. I'm not sure how filling out a different form will help. |
We don't know your nuget.org account if you want us to investigate this. By using that form, we can have a private discussion instead of a public one. |
|
How long should I expect it to take to get an answer to my question? I submitted the e-mail a week ago. |
|
@glennawatson @ChrisSfanos for visibility on the DNF rules. @bradwilson yes i believe for some reason there is specific logic associated with the |
|
I was able to resolve this conflict by deleting |
|
@bradwilson These rules have existed for a while. They were introduced by Claire back when she was ED. The board in recent meeting has been discussing this actively. I been bringing it up over the last 2-3 board meetings to get the co-owner rules relaxed and also been discussing with @JonDouglas on how to go about this. We are likely discussing in September's project committee meeting to discuss finalising some rules. |
Impact
I'm unable to use NuGet.org
Describe the bug
I have recently updated my code signing certificate used for the xunit organization. When uploading packages signed with the new certificate, it was failing validation.
So I extracted the certificate from the signed NuGet package to create the required DER encoded CER file. I verified that the SHA1 matches what the failure e-mail shows. (BTW, it's SUPER annoying that you show the SHA256 of a certificate on the organization edit page, but the SHA1 of the certificate when it fails to sign properly. Please pick one thing and use it everywhere!)
According to PowerShell, these are the SHA1 and SHA256 hashes for the .cer file:
This is what the e-mail told me:
The package was signed, but the signing certificate (SHA-1 thumbprint e49a663526bcc40878466be4f49f9833b3302c0a) is not associated with your account.And this is what the organization shows for the uploaded certificate (the old one is still there):
I have tried uploading packages several times and it still continues to fail, despite the certificate being there. I uploaded it about 3pm Pacific time but it still fails even now at 9pm Pacific time (I thought maybe it needed some time to work itself through the system).
At this point I believe there is something broken in the process and I need help figuring out what the broken piece is. If necessary, I can provide both a signed NuGet package that I'm trying to upload, as well as the .CER file that I extracted from the signed package.
Repro Steps
Expected Behavior
I can upload the package(s).
Screenshots
No response
Additional Context and logs
No response
The text was updated successfully, but these errors were encountered: