我有一个用我自己的证书签名的软件包,该证书由我自己的CA颁发。
我用证书签署了一个nuget软件包。
当我在计算机的信任库中添加根CA时,我可以使用nuget成功验证签名
nuget verify test.nupkg -Signatures
但是,如果我从信任库中删除了根目录,而是将证书的指纹添加为受信任的签名者,则在nuget中将allowUntrustedRoot设置为true,对于某些情况,我无法验证签名原因。
> nuget trusted-signers
Registered trusted signers:
1. MyCert [author]
Certificate fingerprint(s):
[U] SHA256 - 39544DEE346D61EB2FF5CF4A35EF4B42DE5B4641E1B9AAA098A2A5291F683631
但是
> nuget verify test.nupkg -Signatures
Verifying Test
C:\test.nupkg
Signature Hash Algorithm: SHA256
WARNING: NU3027: The signature should be timestamped to enable long-term signature validity after the certificate has expired.
Signature type: Author
Verifying the author primary signature with certificate:
Subject Name: CN=Test Certificate, OU=Test, C=BE
SHA1 hash: 679B1E503720C69D981B9CC4F0199D5D8593375A
SHA256 hash: 39544DEE346D61EB2FF5CF4A35EF4B42DE5B4641E1B9AAA098A2A5291F683631
Issued by: CN=Test Root, OU=Test, O=Test, C=BE
Valid from: 10/31/2019 10:29:54 AM to 9/24/2023 11:37:39 AM
NU3018: The author primary signature found a chain building issue: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
WARNING: NU3018: The author primary signature found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode.
WARNING: NU3018: The author primary signature found a chain building issue: The revocation function was unable to check revocation for the certificate.
Finished with 1 errors and 3 warnings.
Package signature validation failed.
如果未验证签名,则添加可信的签名者并将allowUntrustedRoot设置为true有什么意义?我的意思是,将根证书添加到信任库中足以验证签名,而无需进行任何配置就足够了。
我希望,如果可能的话,不能将根CA导入信任存储中,而只能使用Nuget的配置来成功验证签名。
谢谢。
答案 0 :(得分:0)
我们的信念是,如果您尝试在nuget.configs中具有适当信任策略设置的项目中使用该程序包,还原将成功。 请确认。
接下来,nuget verify具有-config开关-请尝试将路径传递到nuget.config。
如果第一个测试有效,而第二个测试无效,则nuget的verify命令中可能存在错误。如果是这样,请在https://github.com/nuget/home/issues/
提出问题-Rob Relyea(NuGet客户团队)