PSResourceGet icon indicating copy to clipboard operation
PSResourceGet copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Allow for Publishing "Packed" Modules to PSGallery

Open SydneyhSmith opened this issue 1 year ago • 2 comments

Summary of the new feature / enhancement

PSResourceGet Pack and Push

Goals

  1. Allow for publishing signed PowerShell modules as nupkgs to PSGallery and ACR (what defines a module? It needs a psd1)
  2. Allow for publishing nuspec dependencies into ACR
  3. Create a new cmd for packing a PowerShell module

"Pack" design

Compress-PSResource [-Path] <String[]> [-DestinationPath] <String> [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]

"Push" design

Add an additional parameter set which takes a path to a nupkg

Publish-PSResource -NupkgPath "myPathtoNupkg" -Repository [Container] [PSGallery] -APIkey -SkipDependencyCheck

Screening for Modules

At this time PSGallery will only support this feature for modules, not arbitrary nupkgs

Proposed technical implementation details (optional)

No response

SydneyhSmith avatar Apr 15 '24 16:04 SydneyhSmith

Related issues #1393 #310

SydneyhSmith avatar Apr 15 '24 16:04 SydneyhSmith

Using NuGet Version: 6.9.1.3 (https://www.nuget.org/downloads)

Symptom nuget verify -Signatures "%USERPROFILE%\Downloads\name.major.minor.patch.nupkg"

Verifying name.major.minor.patch
%USERPROFILE%\Downloads\name.major.minor.patch.nupkg

Finished with 1 errors and 0 warnings.
NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an invalid value (8).

Package signature validation failed.

Expected Original unmangled Nuget package PSModule.

Signature Hash Algorithm: SHA256

Signature type: Author
Verifying the author primary signature with certificate:

  Subject Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  ...
  
  Successfully verified package 'name.major.minor.patch'.

Problem Publishing process unpacks, extracts metadata, updates (rewrites and appends tags), and repacks.

Comparing package content of original to published, PSGallery modifies package:

  • Updates (appends) values in [Content_Types].xml
  • Adds PSGetModuleInfo.xml file
  • Updates *.nuspec by removing metadata entries and updating tags.

These repackaging changes invalidate the .signature.p7s file.

See also https://github.com/NuGet/Home/wiki/Package-Immutability

aluty avatar Apr 26 '24 01:04 aluty

internals sigverify I didn't timestamp or move my self issued cert to root so there are some errors with the signature. Also the package is named PowerShellGet2.5.5.nupkg

Is this what we want to see from the Compress-PSResource?

jshigetomi avatar Jul 30 '24 15:07 jshigetomi

fyi @ThomasNieto linked PR in case you wanted to take a look

SydneyhSmith avatar Aug 06 '24 17:08 SydneyhSmith