Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOTNET_NUGET_SIGNATURE_VERIFICATION #40946

Open
GaSkia opened this issue May 15, 2024 · 1 comment
Open

DOTNET_NUGET_SIGNATURE_VERIFICATION #40946

GaSkia opened this issue May 15, 2024 · 1 comment
Labels
dotnet-fundamentals/svc Pri2 ⌚ Not Triaged Not triaged

Comments

@GaSkia
Copy link

GaSkia commented May 15, 2024

Type of issue

Other (describe below)

Description

LINUX

Important

Although signed-package verification functionality was added in .NET 5 SDK's, the functionality isn't supported on Linux until .NET 6.0.400 SDK. Don't use signed-package verification with .NET SDK versions earlier than 6.0.400.

Prior to .NET 8 SDK, verification is disabled by default during package restore operations. To opt in, set the environment variable DOTNET_NUGET_SIGNATURE_VERIFICATION to true.

After a clean install on Arch Linux via the install.sh script, I proceeded to install the maui-android nuGet package with the following command:

dotnet workload install android-maui

the NuGet package signature verification is skipped (see output.txt)
[output.txt](https://github.com/dotnet/docs/files/15326820/output.txt

As quoted above the documentation says that prior to .NET 8 sdk verification is disabled by default, so I assume that the verification on the version 8.0.204 should be enabled by default.

Page URL

https://learn.microsoft.com/en-us/dotnet/core/tools/nuget-signed-package-verification

Content source URL

https://github.com/dotnet/docs/blob/main/docs/core/tools/nuget-signed-package-verification.md

Document Version Independent Id

ccd7b834-2f46-7bff-fbd4-1409650da1cb

Article author

@dtivel

Metadata

  • ID: 4b107641-a326-0701-0406-c29627550fa5
  • Service: dotnet-fundamentals
@dotnet-bot dotnet-bot added the ⌚ Not Triaged Not triaged label May 15, 2024
@dtivel
Copy link
Contributor

dtivel commented May 15, 2024

Hi, @GaSkia. Thanks for the feedback.

The default behavior of NuGet signed package verification (and the DOTNET_NUGET_SIGNATURE_VERIFICATION environment variable) on Linux only applies to NuGet restore operations. .NET SDK install/update operations for dotnet workload and dotnet tool do not inherit NuGet's default restore behavior because they are not restore operations (e.g.: dotnet restore or dotnet build, which implicitly restores). The dotnet workload and dotnet tool commands use NuGet packages, but the .NET SDK performs its own verification. Perhaps documentation would be clearer if it said that dotnet workload and dotnet tool commands are not affected by NuGet's default restore behavior?

The .NET SDK team disabled automatic verification in their workload command via dotnet/sdk#24590. I believe they are planning on adding it back via dotnet/sdk#37469. However, this disablement/enablement is independent of NuGet restore operations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dotnet-fundamentals/svc Pri2 ⌚ Not Triaged Not triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dotnet-bot @dtivel @GaSkia