novotnyllc / nugetkeyvaultsigntool Goto Github PK
View Code? Open in Web Editor NEWSign NuGet packages using certificates in Azure Key Vault
License: MIT License
nugetkeyvaultsigntool's People
Contributors
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "dependabot-preview[bot]")
Stargazers
Watchers
Forkers
vcsjones ufilmn juanfranblanco nethereum hnjm punker76 mregen watch-later waldyhester devlead mil21317 erdembayar martincostello rtigithub shawnhernan svrooijnugetkeyvaultsigntool's Issues
Use token/MSI instead of id/secret
Hey,
is there an option to use an access token or MSI instead of id/secret?
The timestamp certificate does not meet a minimum public key length requirement.
On sign with timestamp -tr "http://ts.ssl.com"
from I get error
βThe timestamp certificate does not meet a minimum public key length requirement.
NuGet.Packaging.Signing.TimestampException: The timestamp certificate does not meet a minimum public key length requirement.β
but -tr "http://timestamp.digicert.com" works fine
Feature request: Ability to sign nupkg and snupkg in one step
Hi, first of all, thanks for this great tool.
I stumbled upon a minor issue that although the tool supports wildcards (e.g. Packages/*.nupkg or Packages/*.snupkg), it is unwilling to sign both *.nupkg and *.snupkg files at the same time (Packages/*.* or Packages/*nupkg), it will only sign *.nupkg ones. This means that CI pipelines need to call the NuGetKeyVaultSignTool twice instead of once, with a ton of parameters π.
Tool cannot sign wildcard paths
For some reason when run within an Azure DevOps release task it is not working, erroring out on saying KeyVault URL not specified.
As you can see from the log it is specified (also tried -kvu) but still erroring on that step:
2019-05-02T18:02:54.3830516Z nugetkeyvaultsigntool sign D:\a\r1\a\_Alexa.NET-master\drop\*.nupkg -file-digest sha256 -timestamp-rfc3161 "http://timestamp.digicert.com" --timestamp-digest sha256 --azure-key-vault-url "REMOVED_FOR_THIS_ISSUE_POST" --azure-key-vault-client-id "***" --azure-key-vault-client-secret "***" --azure-key-vault-certificate "***"
2019-05-02T18:03:00.1332781Z fail: NuGetKeyVaultSignTool.Program[0]
2019-05-02T18:03:00.1333613Z Key Vault URL not specified
Dependencies not current
Most relevant to dotnet/sign is net5.0 for NuGetKeyVaultSignTool.Core:
E:\git\NuGetKeyVaultSignTool>dotnet list package --outdated
The following sources were used:
https://api.nuget.org/v3/index.json
https://pkgs.dev.azure.com/dotnet/NuGetPackageExplorer/_packaging/BuildPackages/nuget/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
https://dnceng.pkgs.visualstudio.com/public/_packaging/dotnet7/nuget/v3/index.json
https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json
Project `NuGetKeyVaultSignTool` has the following updates to its packages
[netcoreapp3.1]:
Top-level Package Requested Resolved Latest
> Azure.Identity 1.5.0 1.5.0 1.8.0
> Microsoft.Extensions.DependencyInjection 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.Extensions.Logging.Console 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
[net5.0]:
Top-level Package Requested Resolved Latest
> Azure.Identity 1.5.0 1.5.0 1.8.0
> Microsoft.Extensions.DependencyInjection 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.Extensions.Logging.Console 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
[net6.0]:
Top-level Package Requested Resolved Latest
> Azure.Identity 1.5.0 1.5.0 1.8.0
> Microsoft.Extensions.DependencyInjection 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.Extensions.Logging.Console 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
Project `NuGetKeyVaultSignTool.Core` has the following updates to its packages
[netcoreapp3.1]:
Top-level Package Requested Resolved Latest
> Azure.Security.KeyVault.Certificates 4.2.0 4.2.0 4.4.0
> Microsoft.Extensions.Logging 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
> NuGet.Packaging 6.0.0-xprivate.60026 6.0.0-xprivate.60026 6.4.0
> NuGet.Protocol 6.0.0-xprivate.60026 6.0.0-xprivate.60026 6.4.0
> System.Security.Cryptography.Pkcs 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
[net5.0]:
Top-level Package Requested Resolved Latest
> Azure.Security.KeyVault.Certificates 4.2.0 4.2.0 4.4.0
> Microsoft.Extensions.Logging 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
> NuGet.Packaging 6.0.0-preview.4.243 6.0.0-preview.4.243 6.4.0
> NuGet.Protocol 6.0.0-preview.4.243 6.0.0-preview.4.243 6.4.0
> System.Security.Cryptography.Pkcs 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
The version is displayed incorrectly
>dotnet tool install --global NuGetKeyVaultSignTool
You can invoke the tool using the following command: NuGetKeyVaultSignTool
Tool 'nugetkeyvaultsigntool' (version '3.2.3') was successfully installed.
>NuGetKeyVaultSignTool --version
3.2.0
Microsoft.Extensions.CommandLineUtils not found
Following the tutorial in readme.md, I get the following error as the only output of the NuGetKeyVaultSignTool.exe command:
Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.Extensions.CommandLineUtils, Version=1.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60'. The system cannot find the file specified.
at NuGetKeyVaultSignTool.Program.Main(String[] args)
The version installed is 1.2.3.
I've built the tool myself as a work-around.
Needs Tests
Should add some tests to be able to quickly validate new capabilities
Verify subcommand: System.Security.Cryptography.CryptographicException: Unknown algorithm '1.2.840.113549.1.1.11'
For a package that is signed using NuGetKeyVaultSignTool and passes validation on nuget.org, I get this output:
(sensitive data replaced by ***)
Signature Hash Algorithm: SHA256
Timestamp: 09.01.2019 15:43:58
Verifying author primary signature's timestamp with timestamping service certificate:
Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
SHA1 hash: ***
SHA256 hash: ***
Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Valid from: 23.12.2017 1:00:00 to 23.03.2029 0:59:59
Subject Name: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
SHA1 hash: ***
SHA256 hash: ***
Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Valid from: 12.01.2016 1:00:00 to 12.01.2031 0:59:59
Subject Name: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SHA1 hash: ***
SHA256 hash: ***
Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Valid from: 02.04.2008 2:00:00 to 02.12.2037 0:59:59
Signature type: Author
Verifying the author primary signature with certificate:
Subject Name: ***
SHA1 hash: ***
SHA256 hash: ***
Issued by: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Valid from: 27.07.2017 2:00:00 to 23.09.2020 1:59:59
The author primary signature validation failed.
System.Security.Cryptography.CryptographicException: Unknown algorithm '1.2.840.113549.1.1.11'.
at System.Security.Cryptography.Pkcs.SignerInfo.Verify(X509Certificate2Collection extraStore, X509Certificate2 certificate, Boolean verifySignatureOnly)
at NuGet.Packaging.Signing.Signature.Verify(Timestamp timestamp, SignatureVerifySettings settings, HashAlgorithmName fingerprintAlgorithm, X509Certificate2Collection certificateExtraStore)
Finished with 1 errors and 0 warnings.
Signature is invalid
Timestamp is required
Passing a null timestamp service URL will cause an exception here. Also, KeyVaultSignatureProvider requires a timestamp provider.
Certificate chain validation failed.
When I try to use this tool with Azure Devops Hosted Agent (ubuntu-20.04) I got a following error:
info: NuGetKeyVaultSignTool.Program[0]
SignAsync [/home/vsts/work/1/a/packed/tool-devops.1.0.0-rc.nupkg]: Begin Signing tool-devops.1.0.0-rc.nupkg
fail: NuGetKeyVaultSignTool.Program[0]
NuGet [/home/vsts/work/1/a/packed/tool-devops.1.0.0-rc.nupkg]: NU3018: PartialChain: unable to get local issuer certificate
fail: NuGetKeyVaultSignTool.Program[0]
Certificate chain validation failed.
NuGet.Packaging.Signing.SignatureException: Certificate chain validation failed.
at NuGet.Packaging.Signing.CertificateChainUtility.GetCertificateChain(X509Certificate2 certificate, X509Certificate2Collection extraStore, ILogger logger, CertificateType certificateType)
at NuGet.Packaging.Signing.SignPackageRequest.BuildSigningCertificateChainOnce(ILogger logger)
at NuGet.Packaging.Signing.SigningUtility.Verify(SignPackageRequest request, ILogger logger)
at NuGet.Packaging.Signing.SigningUtility.SignAsync(SigningOptions options, SignPackageRequest signRequest, CancellationToken token)
at NuGetKeyVaultSignTool.SignCommand.SignAsync(String packagePath, String outputPath, String timestampUrl, Uri v3ServiceIndex, IReadOnlyList`1 packageOwners, SignatureType signatureType, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, Boolean overwrite, X509Certificate2 publicCertificate, RSA rsa, CancellationToken cancellationToken) in /_/NuGetKeyVaultSignTool.Core/SignCommand.cs:line 98
I use a self-signed certificate!
NuGetKeyVaultSignTool --version
3.1.0
Tool cannot verify wildcard paths
Tool 'nugetkeyvaultsigntool' (version '3.2.3')
>NuGetKeyVaultSignTool verify "test/*.nupkg"
Signature is valid
> NuGetKeyVaultSignTool verify "test/1.nupkg"
The package is not signed.
Finished with 1 errors and 0 warnings.
Signature is invalid
> NuGetKeyVaultSignTool verify "test/2.nupkg"
Signature is validTool does not run on Microsoft Hosted ubuntu build agents
You get this error message
Starting: Running NuGetKeyVaultSign
==============================================================================
Task : PowerShell
Description : Run a PowerShell script on Linux, macOS, or Windows
Version : 2.170.1
Author : Microsoft Corporation
Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
==============================================================================
Generating script.
========================== Starting Command Output ===========================
/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command . '/home/vsts/work/_temp/c17c4719-86d3-4af9-a58b-f6fdd1a06816.ps1'
info: NuGetKeyVaultSignTool.Program[0]
SignAsync [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: Begin Signing nugetkeyvaultsigntool.3.0.45.nupkg
info: NuGetKeyVaultSignTool.Program[0]
NuGet [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: CreatePrimarySignatureAsync: Creating Primary signature
info: NuGetKeyVaultSignTool.Program[0]
NuGet [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: CreatePrimarySignatureAsync: Primary signature completed
info: NuGetKeyVaultSignTool.Program[0]
NuGet [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: CreatePrimarySignatureAsync: Timestamp primary signature
fail: NuGetKeyVaultSignTool.Program[0]
Unable to load shared library 'crypt32.dll' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libcrypt32.dll: cannot open shared object file: No such file or directory
System.DllNotFoundException: Unable to load shared library 'crypt32.dll' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libcrypt32.dll: cannot open shared object file: No such file or directory
at NuGet.Packaging.Signing.NativeMethods.CryptMsgOpenToDecode(CMSG_ENCODING dwMsgEncodingType, CMSG_OPENTODECODE_FLAGS dwFlags, UInt32 dwMsgType, IntPtr hCryptProv, IntPtr pRecipientInfo, IntPtr pStreamInfo)
at NuGet.Packaging.Signing.NativeCms.Decode(Byte[] input) in D:\dev\NuGet.Client\src\NuGet.Core\NuGet.Packaging\Signing\Native\NativeCms.cs:line 214
at NuGet.Packaging.Signing.PrimarySignature.GetSignatureValue() in D:\dev\NuGet.Client\src\NuGet.Core\NuGet.Packaging\Signing\Signatures\PrimarySignature.cs:line 108
at NuGetKeyVaultSignTool.KeyVaultSignatureProvider.TimestampPrimarySignatureAsync(SignPackageRequest request, ILogger logger, PrimarySignature signature, CancellationToken token) in /_/NuGetKeyVaultSignTool.Core/KeyVaultSignatureProvider.cs:line 211
at NuGetKeyVaultSignTool.KeyVaultSignatureProvider.CreatePrimarySignatureAsync(SignPackageRequest request, SignatureContent signatureContent, ILogger logger, CancellationToken token) in /_/NuGetKeyVaultSignTool.Core/KeyVaultSignatureProvider.cs:line 53
at NuGet.Packaging.Signing.SigningUtility.SignAsync(SigningOptions options, SignPackageRequest signRequest, CancellationToken token) in D:\dev\NuGet.Client\src\NuGet.Core\NuGet.Packaging\Signing\Utility\SigningUtility.cs:line 262
at NuGetKeyVaultSignTool.SignCommand.SignAsync(String packagePath, String outputPath, String timestampUrl, Uri v3ServiceIndex, IReadOnlyList`1 packageOwners, SignatureType signatureType, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, Boolean overwrite, X509Certificate2 publicCertificate, RSA rsa, CancellationToken cancellationToken) in /_/NuGetKeyVaultSignTool.Core/SignCommand.cs:line 98
info: NuGetKeyVaultSignTool.Program[0]
SignAsync [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: End Signing nugetkeyvaultsigntool.3.0.45.nupkg
##[error]PowerShell exited with code '1'.
Finishing: Running NuGetKeyVaultSign
Support .NET Core 3 only hosts
No output for unknown options
When I execute the tool with the same options as I use for AzureSignTool, I got no output. Just the return code is -1.
(Custom build of commit d2a1834 from master branch.)
(I've realized that the breaking option is --verbose. Which in this case has an opposite effect than one would expect :) )
Arguments should have smart defaults
This should follow the NuGet sign tool and use the same smart defaults rather than have all arguments required.
Using wildcards ends up with exception
D:\codesign>NuGetKeyVaultSignTool sign **/OPCFoundation.*.nupkg --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --timestamp-digest sha256 --azure-key-vault-url <> --azure-key-vault-client-id <> --azure-key-vault-tenant-id <> --azure-key-vault-client-secret "" --azure-key-vault-certificate xyz
info: NuGetKeyVaultSignTool.Program[0]
SignAsync [D:\codesign\1.4.363-20200904.2-netcore3-preview\opcfoundation.netstandard.opc.ua.symbols.1.4.363-20200904.2-netcore3-preview.nupkg]: Begin Signing opcfoundation.netstandard.opc.ua.symbols.1.4.363-20200904.2-netcore3-preview.nupkg
warn: NuGetKeyVaultSignTool.Program[0]
NuGet [D:\codesign\1.4.363-20200904.2-netcore3-preview\opcfoundation.netstandard.opc.ua.symbols.1.4.363-20200904.2-netcore3-preview.nupkg]: NU3018: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
fail: NuGetKeyVaultSignTool.Program[0]
The filename, directory name, or volume label syntax is incorrect. : 'D:\codesign\**\OPCFoundation.*.nupkg'
System.IO.IOException: The filename, directory name, or volume label syntax is incorrect. : 'D:\codesign\**\OPCFoundation.*.nupkg'
at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)
at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.IO.File.Open(String path, FileMode mode, FileAccess access)
D:\codesign>NugetKeyVaultSignTool --version
fix --> #77
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.