novotnyllc / nugetkeyvaultsigntool Goto Github PK
View Code? Open in Web Editor NEWSign NuGet packages using certificates in Azure Key Vault
License: MIT License
Sign NuGet packages using certificates in Azure Key Vault
License: MIT License
Hey,
is there an option to use an access token or MSI instead of id/secret?
On sign with timestamp -tr "http://ts.ssl.com"
from I get error
βThe timestamp certificate does not meet a minimum public key length requirement.
NuGet.Packaging.Signing.TimestampException: The timestamp certificate does not meet a minimum public key length requirement.β
but -tr "http://timestamp.digicert.com" works fine
Hi, first of all, thanks for this great tool.
I stumbled upon a minor issue that although the tool supports wildcards (e.g. Packages/*.nupkg
or Packages/*.snupkg
), it is unwilling to sign both *.nupkg
and *.snupkg
files at the same time (Packages/*.*
or Packages/*nupkg
), it will only sign *.nupkg
ones. This means that CI pipelines need to call the NuGetKeyVaultSignTool twice instead of once, with a ton of parameters π.
For some reason when run within an Azure DevOps release task it is not working, erroring out on saying KeyVault URL not specified.
As you can see from the log it is specified (also tried -kvu) but still erroring on that step:
2019-05-02T18:02:54.3830516Z nugetkeyvaultsigntool sign D:\a\r1\a\_Alexa.NET-master\drop\*.nupkg -file-digest sha256 -timestamp-rfc3161 "http://timestamp.digicert.com" --timestamp-digest sha256 --azure-key-vault-url "REMOVED_FOR_THIS_ISSUE_POST" --azure-key-vault-client-id "***" --azure-key-vault-client-secret "***" --azure-key-vault-certificate "***"
2019-05-02T18:03:00.1332781Z fail: NuGetKeyVaultSignTool.Program[0]
2019-05-02T18:03:00.1333613Z Key Vault URL not specified
Most relevant to dotnet/sign is net5.0
for NuGetKeyVaultSignTool.Core:
E:\git\NuGetKeyVaultSignTool>dotnet list package --outdated
The following sources were used:
https://api.nuget.org/v3/index.json
https://pkgs.dev.azure.com/dotnet/NuGetPackageExplorer/_packaging/BuildPackages/nuget/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
https://dnceng.pkgs.visualstudio.com/public/_packaging/dotnet7/nuget/v3/index.json
https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json
Project `NuGetKeyVaultSignTool` has the following updates to its packages
[netcoreapp3.1]:
Top-level Package Requested Resolved Latest
> Azure.Identity 1.5.0 1.5.0 1.8.0
> Microsoft.Extensions.DependencyInjection 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.Extensions.Logging.Console 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
[net5.0]:
Top-level Package Requested Resolved Latest
> Azure.Identity 1.5.0 1.5.0 1.8.0
> Microsoft.Extensions.DependencyInjection 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.Extensions.Logging.Console 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
[net6.0]:
Top-level Package Requested Resolved Latest
> Azure.Identity 1.5.0 1.5.0 1.8.0
> Microsoft.Extensions.DependencyInjection 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.Extensions.Logging.Console 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
Project `NuGetKeyVaultSignTool.Core` has the following updates to its packages
[netcoreapp3.1]:
Top-level Package Requested Resolved Latest
> Azure.Security.KeyVault.Certificates 4.2.0 4.2.0 4.4.0
> Microsoft.Extensions.Logging 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
> NuGet.Packaging 6.0.0-xprivate.60026 6.0.0-xprivate.60026 6.4.0
> NuGet.Protocol 6.0.0-xprivate.60026 6.0.0-xprivate.60026 6.4.0
> System.Security.Cryptography.Pkcs 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
[net5.0]:
Top-level Package Requested Resolved Latest
> Azure.Security.KeyVault.Certificates 4.2.0 4.2.0 4.4.0
> Microsoft.Extensions.Logging 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.244 3.4.244 3.5.119
> NuGet.Packaging 6.0.0-preview.4.243 6.0.0-preview.4.243 6.4.0
> NuGet.Protocol 6.0.0-preview.4.243 6.0.0-preview.4.243 6.4.0
> System.Security.Cryptography.Pkcs 6.0.0-rc.2.21480.5 6.0.0-rc.2.21480.5 7.0.0
>dotnet tool install --global NuGetKeyVaultSignTool
You can invoke the tool using the following command: NuGetKeyVaultSignTool
Tool 'nugetkeyvaultsigntool' (version '3.2.3') was successfully installed.
>NuGetKeyVaultSignTool --version
3.2.0
Following the tutorial in readme.md, I get the following error as the only output of the NuGetKeyVaultSignTool.exe command:
Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.Extensions.CommandLineUtils, Version=1.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60'. The system cannot find the file specified.
at NuGetKeyVaultSignTool.Program.Main(String[] args)
The version installed is 1.2.3.
I've built the tool myself as a work-around.
Should add some tests to be able to quickly validate new capabilities
For a package that is signed using NuGetKeyVaultSignTool and passes validation on nuget.org, I get this output:
(sensitive data replaced by ***)
Signature Hash Algorithm: SHA256
Timestamp: 09.01.2019 15:43:58
Verifying author primary signature's timestamp with timestamping service certificate:
Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
SHA1 hash: ***
SHA256 hash: ***
Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Valid from: 23.12.2017 1:00:00 to 23.03.2029 0:59:59
Subject Name: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
SHA1 hash: ***
SHA256 hash: ***
Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Valid from: 12.01.2016 1:00:00 to 12.01.2031 0:59:59
Subject Name: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SHA1 hash: ***
SHA256 hash: ***
Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Valid from: 02.04.2008 2:00:00 to 02.12.2037 0:59:59
Signature type: Author
Verifying the author primary signature with certificate:
Subject Name: ***
SHA1 hash: ***
SHA256 hash: ***
Issued by: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Valid from: 27.07.2017 2:00:00 to 23.09.2020 1:59:59
The author primary signature validation failed.
System.Security.Cryptography.CryptographicException: Unknown algorithm '1.2.840.113549.1.1.11'.
at System.Security.Cryptography.Pkcs.SignerInfo.Verify(X509Certificate2Collection extraStore, X509Certificate2 certificate, Boolean verifySignatureOnly)
at NuGet.Packaging.Signing.Signature.Verify(Timestamp timestamp, SignatureVerifySettings settings, HashAlgorithmName fingerprintAlgorithm, X509Certificate2Collection certificateExtraStore)
Finished with 1 errors and 0 warnings.
Signature is invalid
Passing a null
timestamp service URL will cause an exception here. Also, KeyVaultSignatureProvider requires a timestamp provider.
When I try to use this tool with Azure Devops Hosted Agent (ubuntu-20.04) I got a following error:
info: NuGetKeyVaultSignTool.Program[0]
SignAsync [/home/vsts/work/1/a/packed/tool-devops.1.0.0-rc.nupkg]: Begin Signing tool-devops.1.0.0-rc.nupkg
fail: NuGetKeyVaultSignTool.Program[0]
NuGet [/home/vsts/work/1/a/packed/tool-devops.1.0.0-rc.nupkg]: NU3018: PartialChain: unable to get local issuer certificate
fail: NuGetKeyVaultSignTool.Program[0]
Certificate chain validation failed.
NuGet.Packaging.Signing.SignatureException: Certificate chain validation failed.
at NuGet.Packaging.Signing.CertificateChainUtility.GetCertificateChain(X509Certificate2 certificate, X509Certificate2Collection extraStore, ILogger logger, CertificateType certificateType)
at NuGet.Packaging.Signing.SignPackageRequest.BuildSigningCertificateChainOnce(ILogger logger)
at NuGet.Packaging.Signing.SigningUtility.Verify(SignPackageRequest request, ILogger logger)
at NuGet.Packaging.Signing.SigningUtility.SignAsync(SigningOptions options, SignPackageRequest signRequest, CancellationToken token)
at NuGetKeyVaultSignTool.SignCommand.SignAsync(String packagePath, String outputPath, String timestampUrl, Uri v3ServiceIndex, IReadOnlyList`1 packageOwners, SignatureType signatureType, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, Boolean overwrite, X509Certificate2 publicCertificate, RSA rsa, CancellationToken cancellationToken) in /_/NuGetKeyVaultSignTool.Core/SignCommand.cs:line 98
I use a self-signed certificate!
NuGetKeyVaultSignTool --version
3.1.0
Tool 'nugetkeyvaultsigntool' (version '3.2.3')
>NuGetKeyVaultSignTool verify "test/*.nupkg"
Signature is valid
> NuGetKeyVaultSignTool verify "test/1.nupkg"
The package is not signed.
Finished with 1 errors and 0 warnings.
Signature is invalid
> NuGetKeyVaultSignTool verify "test/2.nupkg"
Signature is valid
You get this error message
Starting: Running NuGetKeyVaultSign
==============================================================================
Task : PowerShell
Description : Run a PowerShell script on Linux, macOS, or Windows
Version : 2.170.1
Author : Microsoft Corporation
Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
==============================================================================
Generating script.
========================== Starting Command Output ===========================
/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command . '/home/vsts/work/_temp/c17c4719-86d3-4af9-a58b-f6fdd1a06816.ps1'
info: NuGetKeyVaultSignTool.Program[0]
SignAsync [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: Begin Signing nugetkeyvaultsigntool.3.0.45.nupkg
info: NuGetKeyVaultSignTool.Program[0]
NuGet [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: CreatePrimarySignatureAsync: Creating Primary signature
info: NuGetKeyVaultSignTool.Program[0]
NuGet [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: CreatePrimarySignatureAsync: Primary signature completed
info: NuGetKeyVaultSignTool.Program[0]
NuGet [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: CreatePrimarySignatureAsync: Timestamp primary signature
fail: NuGetKeyVaultSignTool.Program[0]
Unable to load shared library 'crypt32.dll' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libcrypt32.dll: cannot open shared object file: No such file or directory
System.DllNotFoundException: Unable to load shared library 'crypt32.dll' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libcrypt32.dll: cannot open shared object file: No such file or directory
at NuGet.Packaging.Signing.NativeMethods.CryptMsgOpenToDecode(CMSG_ENCODING dwMsgEncodingType, CMSG_OPENTODECODE_FLAGS dwFlags, UInt32 dwMsgType, IntPtr hCryptProv, IntPtr pRecipientInfo, IntPtr pStreamInfo)
at NuGet.Packaging.Signing.NativeCms.Decode(Byte[] input) in D:\dev\NuGet.Client\src\NuGet.Core\NuGet.Packaging\Signing\Native\NativeCms.cs:line 214
at NuGet.Packaging.Signing.PrimarySignature.GetSignatureValue() in D:\dev\NuGet.Client\src\NuGet.Core\NuGet.Packaging\Signing\Signatures\PrimarySignature.cs:line 108
at NuGetKeyVaultSignTool.KeyVaultSignatureProvider.TimestampPrimarySignatureAsync(SignPackageRequest request, ILogger logger, PrimarySignature signature, CancellationToken token) in /_/NuGetKeyVaultSignTool.Core/KeyVaultSignatureProvider.cs:line 211
at NuGetKeyVaultSignTool.KeyVaultSignatureProvider.CreatePrimarySignatureAsync(SignPackageRequest request, SignatureContent signatureContent, ILogger logger, CancellationToken token) in /_/NuGetKeyVaultSignTool.Core/KeyVaultSignatureProvider.cs:line 53
at NuGet.Packaging.Signing.SigningUtility.SignAsync(SigningOptions options, SignPackageRequest signRequest, CancellationToken token) in D:\dev\NuGet.Client\src\NuGet.Core\NuGet.Packaging\Signing\Utility\SigningUtility.cs:line 262
at NuGetKeyVaultSignTool.SignCommand.SignAsync(String packagePath, String outputPath, String timestampUrl, Uri v3ServiceIndex, IReadOnlyList`1 packageOwners, SignatureType signatureType, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, Boolean overwrite, X509Certificate2 publicCertificate, RSA rsa, CancellationToken cancellationToken) in /_/NuGetKeyVaultSignTool.Core/SignCommand.cs:line 98
info: NuGetKeyVaultSignTool.Program[0]
SignAsync [/home/vsts/work/1/s/.store/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool/3.0.45/nugetkeyvaultsigntool.3.0.45.nupkg]: End Signing nugetkeyvaultsigntool.3.0.45.nupkg
##[error]PowerShell exited with code '1'.
Finishing: Running NuGetKeyVaultSign
When I execute the tool with the same options as I use for AzureSignTool, I got no output. Just the return code is -1.
(Custom build of commit d2a1834 from master branch.)
(I've realized that the breaking option is --verbose
. Which in this case has an opposite effect than one would expect :) )
This should follow the NuGet sign tool and use the same smart defaults rather than have all arguments required.
D:\codesign>NuGetKeyVaultSignTool sign **/OPCFoundation.*.nupkg --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --timestamp-digest sha256 --azure-key-vault-url <> --azure-key-vault-client-id <> --azure-key-vault-tenant-id <> --azure-key-vault-client-secret "" --azure-key-vault-certificate xyz
info: NuGetKeyVaultSignTool.Program[0]
SignAsync [D:\codesign\1.4.363-20200904.2-netcore3-preview\opcfoundation.netstandard.opc.ua.symbols.1.4.363-20200904.2-netcore3-preview.nupkg]: Begin Signing opcfoundation.netstandard.opc.ua.symbols.1.4.363-20200904.2-netcore3-preview.nupkg
warn: NuGetKeyVaultSignTool.Program[0]
NuGet [D:\codesign\1.4.363-20200904.2-netcore3-preview\opcfoundation.netstandard.opc.ua.symbols.1.4.363-20200904.2-netcore3-preview.nupkg]: NU3018: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
fail: NuGetKeyVaultSignTool.Program[0]
The filename, directory name, or volume label syntax is incorrect. : 'D:\codesign\**\OPCFoundation.*.nupkg'
System.IO.IOException: The filename, directory name, or volume label syntax is incorrect. : 'D:\codesign\**\OPCFoundation.*.nupkg'
at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)
at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.IO.File.Open(String path, FileMode mode, FileAccess access)
D:\codesign>NugetKeyVaultSignTool --version
fix --> #77
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.