[Spec] NuGet Package Signing Client Policy
Status: Incubation
Parent spec - Repository-Signatures
Related Spec - Trusted Sources
As we enable author and repository package signing, we need to enable consumers to be able to control the NuGet package signing client policies. Further, the information needs to be stored into the users machine.
All NuGet package consumers.
Enable package consumers to store NuGet package signing client policies.
- Define NuGet package signing client policies.
- Update the schema for nuget.config file to be able to store NuGet package signing client policies.
- Define a gesture for users to be able to choose NuGet package signing client policies.
NuGet package signing client policies have been outlined in the Repository-Signatures spec. This spec proposes schema changes to nuget.config and user gestures. Further, the spec outlines a rollout plan for the default mode for NuGet clients.
We should store the selected client policy for the user in a nuget.config file as a configuration.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<config>
<add key="signatureValidationMode" value="MODE" />
</config>
</configuration>The key and value are case insensitive.
For example -
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
</configuration><?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
</configuration>To set the NuGet package signing client policy, users can use the existing nuget config command.
NuGet.exe config -set signatureValidationMode=accept
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
</configuration>NuGet.exe config -set signatureValidationMode=require
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
</configuration>NuGet.exe config -set signatureValidationMode=require
Before -
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
</configuration>After -
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
</configuration>NuGet.exe config -set signatureValidationMode=
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
</configuration>If signatureValidationMode is not set then NuGet Client should read that as accept mode.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
</configuration>The above config should be read as having signatureValidationMode=accept.
If signatureValidationMode is set to any value other than the supported modes, then NuGet Client should read that as accept mode and warn the user with a message requesting them to fix the mode value.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet.Org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<config>
<add key="signatureValidationMode" value="RANDOM" />
</config>
</configuration>The above config should be read as having signatureValidationMode=accept and the following message should be shown to the user -
NUxxxx: Invalid signatureValidationMode found in config file <path>. Defaulting to accept mode. Please set it to one of the supported modes by running the nuget config command.
For more information, visit http://docs.nuget.org/docs/reference/command-line-reference.
We should add support for the following in Visual Studio NuGet options control -
- Add a drop down menu to enable users to choose a NuGet package signing client policy -
- By default NuGet client should operate in accept mode where the client will perform author/repository/signedcms signature verification for packages which contain a valid signatures.
- If a user does not have any package sources then NuGet client should write down nuget.org as a package and trusted source and signatureValidationMode as accept into the user nuget.config file.
- NuGet client should respect any trusted source in user settings and perform complete repository signature verification for any package from those sources.
- In require mode NuGet client will only allow packages signed by a list of trusted sources or authors along with all the constraints of accept mode.
- If a package is signed by an author or source that is not trusted, then the operation should fail with an error.
- Starting in a future release, NuGet will operate in accept mode for all users.
- In a following release NuGet client will allow users to change their NuGet package signing client policy as proposed in this spec.