我有一个用我自己的证书签发的软件包,该证书由我自己的CA签发。
我用证书签署了一个nuget软件包。
当我在计算机的信任库中添加根CA时,可以使用nuget成功验证签名,使用
nuget verify test.nupkg -Signatures
但是,如果我从信任库中删除根,而是将证书的指纹作为受信任的签名者添加,则在nuget中将allowUntrustedRoot
设置为true,出于某种原因,我无法验证签名。] >
> nuget trusted-signers Registered trusted signers: 1. MyCert [author] Certificate fingerprint(s): [U] SHA256 - 39544DEE346D61EB2FF5CF4A35EF4B42DE5B4641E1B9AAA098A2A5291F683631
但是
> nuget verify test.nupkg -Signatures Verifying Test C:\test.nupkg Signature Hash Algorithm: SHA256 WARNING: NU3027: The signature should be timestamped to enable long-term signature validity after the certificate has expired. Signature type: Author Verifying the author primary signature with certificate: Subject Name: CN=Test Certificate, OU=Test, C=BE SHA1 hash: 679B1E503720C69D981B9CC4F0199D5D8593375A SHA256 hash: 39544DEE346D61EB2FF5CF4A35EF4B42DE5B4641E1B9AAA098A2A5291F683631 Issued by: CN=Test Root, OU=Test, O=Test, C=BE Valid from: 10/31/2019 10:29:54 AM to 9/24/2023 11:37:39 AM NU3018: The author primary signature found a chain building issue: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. WARNING: NU3018: The author primary signature found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode. WARNING: NU3018: The author primary signature found a chain building issue: The revocation function was unable to check revocation for the certificate. Finished with 1 errors and 3 warnings. Package signature validation failed.
如果未验证签名,添加受信任的签名者并将
allowUntrustedRoot
设置为true有什么意义?我的意思是,将根证书添加到信任库中足以验证签名,而无需进行任何配置就足够了。如果可能的话,我希望不能将根CA导入信任存储中,而仅使用Nuget的配置来成功验证签名。
谢谢。
我有一个用我自己的证书签名的软件包,该证书由我自己的CA签发。我用证书签署了一个nuget软件包。当我在计算机的信任库中添加根CA时,可以验证...
[我们的信念是,如果您尝试在nuget.configs中具有适当信任策略设置的项目中使用该程序包,还原将成功。请确认。