Skip to content

Commit dcb5ab9

Browse files
loic-sharmaloic-sharma
authored
Document the repository signing v4.9.0 service index resource (NuGet#1204)
Part of https://github.com/NuGet/Engineering/issues/1778
1 parent e94e3b8 commit dcb5ab9

File tree

1 file changed

+9
-7
lines changed

1 file changed

+9
-7
lines changed

docs/api/repository-signatures-resource.md

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,16 +19,14 @@ whether a repository signed package has been tampered or has an unexpected signi
1919
The resource used for fetching this repository signature information is the `RepositorySignatures` resource found in
2020
the [service index](service-index.md).
2121

22-
> [!Note]
23-
> NuGet.org will start announcing the `RepositorySignatures` resource in the near future.
24-
2522
## Versioning
2623

2724
The following `@type` value is used:
2825

2926
@type value | Notes
3027
-------------------------- | -----
3128
RepositorySignatures/4.7.0 | The initial release
29+
RepositorySignatures/4.9.0 | Allows enabling `allRepositorySigned`
3230

3331
## Base URL
3432

@@ -63,15 +61,19 @@ The following request fetches the repository signatures index.
6361

6462
The repository signature index is a JSON document that contains an object with the following properties:
6563

66-
Name | Type | Required
67-
------------------- | ---------------- | --------
68-
allRepositorySigned | boolean | yes
69-
signingCertificates | array of objects | yes
64+
Name | Type | Required | Notes
65+
------------------- | ---------------- | -------- | -----
66+
allRepositorySigned | boolean | yes | Must be `false` on 4.7.0 resource
67+
signingCertificates | array of objects | yes |
7068

7169
The `allRepositorySigned` boolean is set to false if the package source has some packages that have no repository
7270
signature. If the boolean is set to true, all packages available on the source must have a repository
7371
signature produced by one of the signing certificates mentioned in `signingCertificates`.
7472

73+
> [!Warning]
74+
> The `allRepositorySigned` boolean must be false on the 4.7.0 resource. NuGet v4.7 and v4.8 clients cannot install packages
75+
> from sources that have `allRepositorySigned` set to true.
76+
7577
There should be one or more signing certificates in the `signingCertificates` array if the `allRepositorySigned` boolean
7678
is set to true. If the array is empty and `allRepositorySigned` is set to true, all packages from the source should be
7779
considered invalid, although a client policy may still allow consumption of packages. Each element in this array is a

0 commit comments

Comments
 (0)