Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Certificate trust list needs to be backported to 6.0.3xx (and maybe 6.0.1xx)

See original GitHub issue

Describe the bug

.NET SDK 6.0.4xx introduced a new embedded certificate trust list. Older SDK versions (including LTS 6.0.3xx and 6.0.1xx) rely primarily on the certificate trust list provided by the operating system (which of course varies from OS to OS).

There are two bugs related to this functionality:

The new certificate trust list includes the Microsoft Time Stamping service certificate trust, which does not exist as a trust in any OS. Therefore, attempting to verify a signed package using this certificate fails on all operating systems unless the user upgrades to a new enough 6.0.4xx SDK. This affects new packages signed by the new .NET Foundation code signature process, since it uses the Microsoft Time Stamping service. (Users will experience this as NU3003)
The certificate used for repository countersignature in nuget.org has shifted from Symantec to DigiCert, related to the feature discussion for the new certificate trust list. Unfortunately, some OSes (like Ubuntu 22.04) have already revoked their trust for the Symantec root certificate. This affects older packages countersigned by NuGet before the move to DigiCert. (Users will probably experience this as NU3028)

In my opinion, all LTS versions need this functionality, not just 6.0.4xx.

To Reproduce

Microsoft Time Stamping service

Download xunit package version 2.5.0: https://www.nuget.org/api/v2/package/xunit/2.5.0
Run dotnet nuget verify --all xunit.2.5.0.nupkg

Here are the results with 6.0.314 (latest as of this writing):

And here are the results with 6.0.411 (latest as of this writing):

Example images are shown from Linux (as it was the easiest way to quickly move between versions), but this is also reproducible with Windows.

Symantec Time Stamping service

On a non-Windows machine:

Download xunit package version 2.4.2: https://www.nuget.org/api/v2/package/xunit/2.4.2
Run dotnet nuget verify --all -v normal xunit.2.4.2.nupkg

Here are the results with 6.0.314 on Linux:

And here are the results with 6.0.411 on Linux:

Issue Analytics

State:
Created 2 months ago
Comments:20 (17 by maintainers)

Top GitHub Comments

2reactions

jaredparcommented, Jul 14, 2023

I have no power over our bot overlords.

1reaction

bradwilsoncommented, Jul 14, 2023

Thank you for at least re-opening it again @jaredpar 😂

Top Results From Across the Web

xUnit.net (@xunit@fosstodon.org)

Release Notes for July 6, 2023xUnit.net ... Certificate trust list needs to be backported to 6.0.3xx (and maybe 6.0.1xx) · Issue #33928 ...

NET Foundation

It would be nice to have completions for various dotnet commands/options. ... Certificate trust list needs to be backported to 6.0.3xx (and maybe...

Certificate Trust List

Certificate Trust List. The Certificate Trust List page displays a list of trusted Certificate Authorities (CACertificate Authority or Certification ...

Changelog

CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype; docs/HYPER.md: updated to reflect current hyper build needs; docs/opts: Mention Schannel client cert type ...

Kong Gateway Changelog

Improved display for the routes list when the expressions router is enabled. CA Certificates and TLS Verify are now supported in the Kong...