sonarlint-visualstudio icon indicating copy to clipboard operation
sonarlint-visualstudio copied to clipboard
verified publisher icon SonarSource

Only allow NuGet package signed by trusted authors

Open duncanp-lseg opened this issue 4 years ago • 2 comments

Description

NuGet supports limiting package restore to packages signed by trusted authors. We should add this as an extra level of checking/defence.

e.g.

  <config>
    <add key="signatureValidationMode" value="require" />
  </config>
  <trustedSigners>
    <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
      <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D"
                   hashAlgorithm="SHA256"
                   allowUntrustedRoot="false" />
        ...

duncanp-lseg avatar Sep 16 '21 14:09 duncanp-lseg

Check with @andrei-epure-sonarsource whether there are any other steps we should take.

duncanp-lseg avatar Sep 15 '22 10:09 duncanp-lseg

This is the main step, as you only use a single source. You can have a look at the sonar-dotnet sample

  • there are two repository signatures for old and new nuget packages (old packages didn't get re-signed when the certificate expired)
  • we mention who is the author in a comment to identify
  • ideally use <author> signature for packages that are signed by the author (because the repository signature is automatic for everything that gets uploaded on nuget.org)

andrei-epure-sonarsource avatar Sep 15 '22 11:09 andrei-epure-sonarsource