docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon dotnet

DOTNET_NUGET_SIGNATURE_VERIFICATION

Open GaSkia opened this issue 1 year ago • 1 comments

Type of issue

Other (describe below)

Description

LINUX

Important

Although signed-package verification functionality was added in .NET 5 SDK's, the functionality isn't supported on Linux until .NET 6.0.400 SDK. Don't use signed-package verification with .NET SDK versions earlier than 6.0.400.

Prior to .NET 8 SDK, verification is disabled by default during package restore operations. To opt in, set the environment variable DOTNET_NUGET_SIGNATURE_VERIFICATION to true.

After a clean install on Arch Linux via the install.sh script, I proceeded to install the maui-android nuGet package with the following command:

dotnet workload install android-maui

the NuGet package signature verification is skipped (see output.txt) [output.txt](https://github.com/dotnet/docs/files/15326820/output.txt

As quoted above the documentation says that prior to .NET 8 sdk verification is disabled by default, so I assume that the verification on the version 8.0.204 should be enabled by default.

Page URL

https://learn.microsoft.com/en-us/dotnet/core/tools/nuget-signed-package-verification

Content source URL

https://github.com/dotnet/docs/blob/main/docs/core/tools/nuget-signed-package-verification.md

Document Version Independent Id

ccd7b834-2f46-7bff-fbd4-1409650da1cb

Article author

@dtivel

Metadata

  • ID: 4b107641-a326-0701-0406-c29627550fa5
  • Service: dotnet-fundamentals

GaSkia avatar May 15 '24 20:05 GaSkia

Hi, @GaSkia. Thanks for the feedback.

The default behavior of NuGet signed package verification (and the DOTNET_NUGET_SIGNATURE_VERIFICATION environment variable) on Linux only applies to NuGet restore operations. .NET SDK install/update operations for dotnet workload and dotnet tool do not inherit NuGet's default restore behavior because they are not restore operations (e.g.: dotnet restore or dotnet build, which implicitly restores). The dotnet workload and dotnet tool commands use NuGet packages, but the .NET SDK performs its own verification. Perhaps documentation would be clearer if it said that dotnet workload and dotnet tool commands are not affected by NuGet's default restore behavior?

The .NET SDK team disabled automatic verification in their workload command via https://github.com/dotnet/sdk/pull/24590. I believe they are planning on adding it back via https://github.com/dotnet/sdk/issues/37469. However, this disablement/enablement is independent of NuGet restore operations.

dtivel avatar May 15 '24 22:05 dtivel