Add Client Policies to Signed Packages ref doc (NuGet#1162)

karann-msft · web-flow · commit 85f8232b0b4f · 2018-12-05T15:20:46.000-08:00
* Add Client Policies to Signed Packages ref

* addressing loic and daniel's feedback

* fix links

* Update Signed-Packages-Reference.md

* Update Sign-a-Package.md

* Update Sign-a-Package.md

* Update Sign-a-Package.md

* Update Sign-a-Package.md

* Update Sign-a-Package.md

* Update Sign-a-Package.md

* Create installing-signed-packages.md

* Update TOC.md

* Update Sign-a-Package.md

* Update installing-signed-packages.md

* Update Signed-Packages-Reference.md

* Update ways-to-install-a-package.md

* Update installing-signed-packages.md

* Update Sign-a-Package.md

* Update Sign-a-Package.md

* Update Signed-Packages-Reference.md

* Update Sign-a-Package.md

* Update installing-signed-packages.md

* Update Signed-Packages-Reference.md
diff --git a/docs/TOC.md b/docs/TOC.md
@@ -10,6 +10,7 @@
 ## [Overview and workflow](consume-packages/overview-and-workflow.md)
 ## [Finding and choosing packages](consume-packages/finding-and-choosing-packages.md)
 ## [Installing packages](consume-packages/ways-to-install-a-package.md)
+###[Signed packages](consume-packages/installing-signed-packages.md)
 ## [Package restore](consume-packages/package-restore.md)
 ### [Troubleshooting](consume-packages/package-restore-troubleshooting.md)
 ## [Reinstalling and updating packages](consume-packages/reinstalling-and-updating-packages.md)
diff --git a/docs/consume-packages/installing-signed-packages.md b/docs/consume-packages/installing-signed-packages.md
@@ -0,0 +1,103 @@
+---
+title: Install a signed NuGet package
+description: Describes the process of installing signed NuGet packages and configuring package signature trust settings.
+author: karann-msft
+ms.author: karann
+ms.date: 11/29/2018
+ms.topic: conceptual
+---
+
+# Install a signed package
+
+Signed packages don't require any specific action to be installed; however, if the content has been modified since it was signed, the installation is blocked with error [NU3008](../reference/errors-and-warnings/NU3008.md).
+
+> [!Warning]
+> Packages signed with untrusted certificates are considered as unsigned and are installed without any warnings or errors like any other unsigned package.
+
+## Configure package signature requirements
+
+> [!Note]
+> Requires NuGet 4.9.0+ and Visual Studio version 15.9 and later on Windows
+
+You can configure how NuGet clients validate package signatures by setting the `signatureValidationMode` to `require` in the [nuget.config](../reference/nuget-config-file) file using the [`nuget config`](../tools/cli-ref-config) command.
+
+```cmd
+nuget.exe config -set signatureValidationMode=require
+```
+
+```xml
+  <config>
+    <add key="signatureValidationMode" value="require" />
+  </config>
+```
+
+This mode will verify that all packages are signed by any of the certificates trusted in the `nuget.config` file. This file allows you to specify which authors and/or repositories are trusted based on the certificate's fingerprint.
+
+### Trust package author
+
+To trust packages based on the author signature use the [`trusted-signers`](..tools/cli-ref-trusted-signers) command to set the `author` property in the nuget.config.
+
+```cmd
+nuget.exe  trusted-signers Add -Name MyCompanyCert -CertificateFingerprint CE40881FF5F0AD3E58965DA20A9F571EF1651A56933748E1BF1C99E537C4E039 -FingerprintAlgorithm SHA256
+```
+
+```xml
+<trustedSigners>
+  <author name="MyCompanyCert">
+    <certificate fingerprint="CE40881FF5F0AD3E58965DA20A9F571EF1651A56933748E1BF1C99E537C4E039" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
+  </author>
+</trustedSigners>
+```
+
+>[!TIP]
+>Use the `nuget.exe` [verify command](https://docs.microsoft.com/en-us/nuget/tools/cli-ref-verify) to get the `SHA256` value of the certificate's fingerprint.
+
+
+### Trust all packages from a repository
+
+To trust packages based on the repository signature use the `repository` element:
+
+```xml
+<trustedSigners>  
+  <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
+    <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B4676070...." 
+                  hashAlgorithm="SHA256" 
+                allowUntrustedRoot="false" />
+  </repository>
+</trustedSigners>
+```
+
+### Trust Package Owners
+
+Repository signatures include additional metadata to determine the owners of the package at the time of submission. You can restrict packages from a repository based on a list of owners:
+
+```xml
+<trustedSigners>  
+  <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
+    <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B4676070...." 
+                  hashAlgorithm="SHA256" 
+                allowUntrustedRoot="false" />
+      <owners>microsoft;nuget</owners>
+  </repository>
+</trustedSigners>
+```
+
+If a package has multiple owners, and any one of those owners is in the trusted list, the package installation will succeed.
+
+### Untrusted Root certificates
+
+In some situations you may want to enable verification using certificates that do not chain to a trusted root in the local machine. You can use the `allowUntrustedRoot` attribute to customize this behavior.
+
+### Sync repository certificates
+
+Package repositories should announce the certificates they use in their [service index](https://docs.microsoft.com/en-us/nuget/api/service-index). Eventually the repository will update these certificates, e.g. when the certificate expires. When that happens, clients with specific policies will require an update to the configuration to include the newly added certificate. You can easily upgrade the trusted signers associated to a repository by using the `nuget.exe` [trusted-signers sync command](/nuget/tools/cli-ref-trusted-signers.md#nuget-trusted-signers-sync--name-).
+
+### Schema reference
+
+The complete schema reference for the client policies can be found in the [nuget.config reference](/nuget/reference/nuget-config-file#trustedsigners-section)
+
+## Related articles
+
+- [Different ways to install a NuGet Package](ways-to-install-a-package.md)
+- [Signing NuGet Packages](../create-packages/Sign-a-Package.md)
+- [Signed Packages Reference](../reference/Signed-Packages-Reference.md)
diff --git a/docs/consume-packages/ways-to-install-a-package.md b/docs/consume-packages/ways-to-install-a-package.md
@@ -59,6 +59,7 @@ The general process is as follows:
 
 ## Related articles
 
+- [Installing signed packages](installing-signed-packages.md)
 - [Overview and workflow of package consumption](../consume-packages/overview-and-workflow.md)
 - [Finding and choosing packages](../consume-packages/finding-and-choosing-packages.md)
 - [Managing the NuGet cache and global-packages folders](managing-the-global-packages-and-cache-folders.md)
diff --git a/docs/create-packages/Sign-a-Package.md b/docs/create-packages/Sign-a-Package.md
@@ -10,51 +10,90 @@ ms.reviewer: anangaur
 
 # Signing NuGet Packages
 
-Signing a package is a process that makes sure the package has not been modified since its creation.
+Signed packages allows for content integrity verification checks which provides protection against content tampering. The package signature also serves as the single source of truth about the actual origin of the package and bolsters package authenticity for the consumer. This guide assumes you have already [created a package](creating-a-package.md).
 
-## Prerequisites
+## Get a code signing certificate
 
-1. The package (a `.nupkg` file) to sign. See [Creating a package](creating-a-package.md).
+Valid certificates may be obtained from a public certificate authority such as [Symantec](https://trustcenter.websecurity.symantec.com/process/trust/productOptions?productType=SoftwareValidationClass3), [DigiCert](https://www.digicert.com/code-signing/), [Go Daddy](https://www.godaddy.com/web-security/code-signing-certificate), [Global Sign](https://www.globalsign.com/en/code-signing-certificate/), [Comodo](https://www.comodo.com/e-commerce/code-signing/code-signing-certificate.php), [Certum](https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml), etc. The complete list of certification authorities trusted by Windows can be obtained from [http://aka.ms/trustcertpartners](http://aka.ms/trustcertpartners).
 
-1. nuget.exe 4.6.0 or later. See how to [Install NuGet CLI](../install-nuget-client-tools.md#nugetexe-cli).
+You can use self-issued certificates for testing purposes. However, packages signed using self-issued certificates are not accepted by NuGet.org. Learn more about [creating a test certificate](#create-a-test-certificate)
 
-1. [A code signing certificate](../reference/signed-packages-reference.md#get-a-code-signing-certificate).
+## Export the certificate file
 
-## Sign a package
+* You can export an existing certificate to a binary DER format by using the Certificate Export Wizard.
 
-To sign a package, use [nuget sign](../tools/cli-ref-sign.md):
+  ![Certificate Export Wizard](../reference/media/CertificateExportWizard.png)
+
+* You can also export the certificate using the [Export-Certificate PowerShell command](/powershell/module/pkiclient/export-certificate.md).
+
+## Sign the package
+
+> [!note]
+> Requires nuget.exe 4.6.0 or later
+
+Sign the package using [nuget sign](../tools/cli-ref-sign.md):
 
 ```cli
-nuget sign MyPackage.nupkg -CertificateSubjectName <MyCertSubjectName> -Timestamper <TimestampServiceURL>
+nuget sign MyPackage.nupkg -CertificateFilePath <PathToTheCertificate> -Timestamper <TimestampServiceURL>
 ```
 
-As described in the command reference, you can use a certificate available in the certificate store or use a certificate from a file.
+* You can use a certificate available in the certificate store or use a certificate from a file. See CLI reference for [nuget sign](../tools/cli-ref-sign.md).
+* Signed packages should include a timestamp to make sure the signature remains valid when the signing certificate has expired. Else the sign operation will produce a [warning](../reference/errors-and-warnings/NU3002.md).
+* You can see the signature details of a given package using [nuget verify](../tools/cli-ref-verify.md).
 
-### Common problems when signing a package
+## Register the certificate on NuGet.org
 
-- The certificate is not valid for code signing. You must ensure the certificate specified has the appropriate extended key usage (EKU 1.3.6.1.5.5.7.3.3).
-- The certificate does not satisfy the basic requirements such as the RSA SHA-256 signature algorithm or a public key 2048 bits or greater.
-- The certificate has expired or has been revoked.
-- The timestamp server does not satisfy the certificate requirements.
+To publish a signed package, you must first register the certificate with NuGet.org. You need the certificate as a `.cer` file in a binary DER format.
 
-> [!Note]
-> Signed packages should include a timestamp to make sure the signature remains valid when the signing certificate has expired. The sign operation produce a [warning NU3002](../reference/errors-and-warnings/NU3002.md) when signing without a timestamp.
+1. [Sign in](https://www.nuget.org/users/account/LogOn?returnUrl=%2F) to NuGet.org.
+1. Go to `Account settings` (or `Manage Organization` **>** `Edit Organziation` if you would like to register the certificate with an Organization account).
+1. Expand the `Certificates` section and select `Register new`.
+1. Browse and select the certficate file that was exported earlier.
+  ![Registered Certificates](../reference/media/registered-certs.png)
 
-## Verify a signed package
+**Note**
+* One user can submit multiple certificates and the same certificate can be registered by multiple users.
+* Once a user has a certificate registered, all future package submissions **must** be signed with one of the certificates. See [Manage signing requirements for your package on NuGet.org](#manage-signing-requirements-for-your-package-on-nugetorg)
+* Users can also remove a registered certificate from the account. Once a certificate is removed, new packages signed with that certificate will fail at submission. Existing packages aren't affected.
 
-Use [nuget verify](../tools/cli-ref-verify.md) to see the signature details of a given package:
+## Publish the package
 
-```cli
-nuget verify -signature MyPackage.nupkg
-```
+You are now ready to publish the package to NuGet.org. See [Publishing packages](Publish-a-package.md).
+
+## Create a test certificate
 
-## Install a signed package
+You can use self-issued certificates for testing purposes. To create a self-issued certificate, use the [New-SelfSignedCertificate PowerShell command](/powershell/module/pkiclient/new-selfsignedcertificate.md).
 
-Signed packages don't require any specific action to be installed; however, if the content has been modified since it was signed, the installation is blocked and produces an [error NU3008](../reference/errors-and-warnings/NU3008.md).
+```ps
+New-SelfSignedCertificate -Subject "CN=NuGet Test Developer, OU=Use for testing purposes ONLY" `
+                          -FriendlyName "NuGetTestDeveloper" `
+                          -Type CodeSigning `
+                          -KeyUsage DigitalSignature `
+                          -KeyLength 2048 `
+                          -KeyAlgorithm RSA `
+                          -HashAlgorithm SHA256 `
+                          -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
+                          -CertStoreLocation "Cert:\CurrentUser\My" 
+```
+
+This command creates a testing certificate available in the current user's personal certificate store. You can open the certificate store by running `certmgr.msc` to see the newly created certificate.
 
 > [!Warning]
-> Packages signed with untrusted certificates are considered as unsigned and are installed without any warnings or errors like any other unsigned package.
+> NuGet.org does not accept packages signed with self-issued certificates.
+
+## Manage signing requirements for your package on NuGet.org
+1. [Sign in](https://www.nuget.org/users/account/LogOn?returnUrl=%2F) to NuGet.org.
+
+1. Go to `Manage Packages` 
+   ![Configure package signers](../reference/media/configure-package-signers.png)
+
+* If you are the sole owner of a package, you are the required signer i.e. you can use any of the registered certificates to sign and publish your packages to NuGet.org.
+
+* If a package has multiple owners, by default, "Any" owner's certificates can be used to sign the package. As a co-owner of the package, you can override "Any" with yourself or any other co-owner to be the required signer. If you make an owner  who does not have any certificate registered, then unsigned packages will be allowed. 
+
+* Similarly, if the default "Any" option is selected for a package where one owner has a certificate registered and another owner does not have any certificate registered, then NuGet.org accepts either a signed package with a signature registered by one of its owners or an unsigned package (because one of the owners does not have any certificate registered).
 
-## See also
+## Related articles
 
-[Signed Packages Reference](../reference/Signed-Packages-Reference.md)
+- [Installing signed packages](../consume-packages/installing-signed-packages.md)
+- [Signed Packages Reference](../reference/Signed-Packages-Reference.md)
diff --git a/docs/reference/Signed-Packages-Reference.md b/docs/reference/Signed-Packages-Reference.md
@@ -27,47 +27,13 @@ For details on creating an author signed package, see [Signing Packages](../crea
 
 Package signing requires a code signing certificate, which is a special type of certificate that is valid for the `id-kp-codeSigning` purpose [[RFC 5280 section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12)]. Additionally, the certificate must have an RSA public key length of 2048 bits or higher.
 
-## Get a code signing certificate
-
-Valid certificates may be obtained from a public certificate authority like:
-
-- [Symantec](https://trustcenter.websecurity.symantec.com/process/trust/productOptions?productType=SoftwareValidationClass3)
-- [DigiCert](https://www.digicert.com/code-signing/)
-- [Go Daddy](https://www.godaddy.com/web-security/code-signing-certificate)
-- [Global Sign](https://www.globalsign.com/en/code-signing-certificate/)
-- [Comodo](https://www.comodo.com/e-commerce/code-signing/code-signing-certificate.php)
-- [Certum](https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml) 
-
-The complete list of certification authorities trusted by Windows can be obtained from [http://aka.ms/trustcertpartners](http://aka.ms/trustcertpartners).
-
-## Create a test certificate
-
-You can use self-issued certificates for testing purposes. To create a self-issued certificate, use the [New-SelfSignedCertificate PowerShell command](/powershell/module/pkiclient/new-selfsignedcertificate.md).
-
-```ps
-New-SelfSignedCertificate -Subject "CN=NuGet Test Developer, OU=Use for testing purposes ONLY" `
-                          -FriendlyName "NuGetTestDeveloper" `
-                          -Type CodeSigning `
-                          -KeyUsage DigitalSignature `
-                          -KeyLength 2048 `
-                          -KeyAlgorithm RSA `
-                          -HashAlgorithm SHA256 `
-                          -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-                          -CertStoreLocation "Cert:\CurrentUser\My" 
-```
-
-This command creates a testing certificate available in the current user's personal certificate store. You can open the certificate store by running `certmgr.msc` to see the newly created certificate.
-
-> [!Warning]
-> nuget.org does not accept packages signed with self-issued certificates.
-
 ## Timestamp requirements
 
 Signed packages should include an RFC 3161 timestamp to ensure signature validity beyond the package signing certificate's validity period. The certificate used to sign the timestamp must be valid for the `id-kp-timeStamping` purpose [[RFC 5280 section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12)]. Additionally, the certificate must have an RSA public key length of 2048 bits or higher.
 
 Additional technical details can be found in the [package signature technical specs](https://github.com/NuGet/Home/wiki/Package-Signatures-Technical-Details) (GitHub).
 
-## Signature requirements on nuget.org
+## Signature requirements on NuGet.org
 
 nuget.org has additional requirements for accepting a signed package:
 
@@ -81,32 +47,9 @@ nuget.org has additional requirements for accepting a signed package:
     - The author signing certificate must be valid for code signing.
     - The timestamp certificate must be valid for timestamping.
   - Must not be revoked at signing time. (This may not be knowable at submission time, so nuget.org periodically rechecks revocation status).
+  
+  
+## Related articles
 
-## Register certificate on nuget.org
-
-To submit a signed package, you must first register the certificate with nuget.org. You need the certificate as a `.cer` file in a binary DER format. You can export an existing certificate to a binary DER format by using the Certificate Export Wizard.
-
-![Certificate Export Wizard](media/CertificateExportWizard.png)
-
-Advanced users can export the certificate using the [Export-Certificate PowerShell command](/powershell/module/pkiclient/export-certificate.md).
-
-To register the certificate with nuget.org, go to `Certificates` section on `Account settings` page (or the Organization's settings page) and select `Register new certificate`.
-
-![Registered Certificates](media/registered-certs.png)
-
-> [!Tip]
-> One user can submit multiple certificates and the same certificate can be registered by multiple users.
-
-Once a user has a certificate registered, all future package submissions **must** be signed with one of the certificates.
-
-Users can also remove a registered certificate from the account. Once a certificate is removed, packages signed with that certificate fail at submission. Existing packages aren't affected.
-
-## Configure package signing requirements
-
-If you are the sole owner of a package, you are the required signer. That is, you can use any of the registered certificates to sign your packages and submit to nuget.org.
-
-If a package has multiple owners, by default, "Any" owner's certificates can be used to sign the package. As a co-owner of the package, you can override "Any" with yourself or any other co-owner to be the required signer. If you make an owner  who does not have any certificate registered, then unsigned packages will be allowed. 
-
-Similarly, if the default "Any" option is selected for a package where one owner has a certificate registered and another owner does not have any certificate registered, then nuget.org accepts either a signed package with a signature registered by one of its owners or an unsigned package (because one of the owners does not have any certificate registered).
-
-![Configure package signers](media/configure-package-signers.png)
+- [Signing NuGet Packages](../create-packages/Sign-a-Package.md)
+- [Installing signed packages](../consume-packages/installing-signed-packages.md)
