Certificate trust list needs to be backported to 6.0.3xx (and maybe 6.0.1xx)
See original GitHub issueDescribe the bug
.NET SDK 6.0.4xx introduced a new embedded certificate trust list. Older SDK versions (including LTS 6.0.3xx and 6.0.1xx) rely primarily on the certificate trust list provided by the operating system (which of course varies from OS to OS).
There are two bugs related to this functionality:
- The new certificate trust list includes the Microsoft Time Stamping service certificate trust, which does not exist as a trust in any OS. Therefore, attempting to verify a signed package using this certificate fails on all operating systems unless the user upgrades to a new enough 6.0.4xx SDK. This affects new packages signed by the new .NET Foundation code signature process, since it uses the Microsoft Time Stamping service. (Users will experience this as NU3003)
- The certificate used for repository countersignature in nuget.org has shifted from Symantec to DigiCert, related to the feature discussion for the new certificate trust list. Unfortunately, some OSes (like Ubuntu 22.04) have already revoked their trust for the Symantec root certificate. This affects older packages countersigned by NuGet before the move to DigiCert. (Users will probably experience this as NU3028)
In my opinion, all LTS versions need this functionality, not just 6.0.4xx.
To Reproduce
Microsoft Time Stamping service
- Download xunit package version 2.5.0: https://www.nuget.org/api/v2/package/xunit/2.5.0
- Run
dotnet nuget verify --all xunit.2.5.0.nupkg
Here are the results with 6.0.314 (latest as of this writing):
![](https://cdn.fosstodon.org/media_attachments/files/110/672/003/300/266/538/original/d4a5e5d34c72183d.png)
And here are the results with 6.0.411 (latest as of this writing):
![](https://cdn.fosstodon.org/media_attachments/files/110/672/006/609/081/303/original/de5b7036d04bcff3.png)
Example images are shown from Linux (as it was the easiest way to quickly move between versions), but this is also reproducible with Windows.
Symantec Time Stamping service
On a non-Windows machine:
- Download xunit package version 2.4.2: https://www.nuget.org/api/v2/package/xunit/2.4.2
- Run
dotnet nuget verify --all -v normal xunit.2.4.2.nupkg
Here are the results with 6.0.314 on Linux:
![](https://files.mastodon.social/media_attachments/files/110/672/054/161/928/612/original/fa3d30ccc8a0776c.png)
And here are the results with 6.0.411 on Linux:
Issue Analytics
- State:
- Created 2 months ago
- Comments:20 (17 by maintainers)
Top Results From Across the Web
xUnit.net (@xunit@fosstodon.org)
Release Notes for July 6, 2023xUnit.net ... Certificate trust list needs to be backported to 6.0.3xx (and maybe 6.0.1xx) · Issue #33928 ...
Read more >NET Foundation
It would be nice to have completions for various dotnet commands/options. ... Certificate trust list needs to be backported to 6.0.3xx (and maybe...
Read more >Certificate Trust List
Certificate Trust List. The Certificate Trust List page displays a list of trusted Certificate Authorities (CACertificate Authority or Certification ...
Read more >Changelog
CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype; docs/HYPER.md: updated to reflect current hyper build needs; docs/opts: Mention Schannel client cert type ...
Read more >Kong Gateway Changelog
Improved display for the routes list when the expressions router is enabled. CA Certificates and TLS Verify are now supported in the Kong...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I have no power over our bot overlords.
Thank you for at least re-opening it again @jaredpar 😂