Skip to content

Simplify certificate validation logic while raising NU3043 error in dotnet.exe #6553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

Simplify certificate validation logic while raising NU3043 error in dotnet.exe #6553

wants to merge 4 commits into from

Conversation

kartheekp-ms
Copy link
Contributor

@kartheekp-ms kartheekp-ms commented Jul 11, 2025
edited
Loading

Bug

Tracking: NuGet/Home#13814

Description

When we merged #6171 PR, we added custom logic to get different behavior if the version of .NET SDK is 10 or not. In .NET 10 we wanted NU3043 to be raised as an error whereas in previous versions we wanted it to be a warning.

Removed assembly version check when validating certificate fingerprints in this PR because we are only inserting into .NET 10 now. Now, an ArgumentException is thrown if the fingerprint is invalid or if the hash algorithm is SHA1, regardless of assembly version. Eliminate logging of warnings for SHA1 when assembly version is less than 10.

PR Checklist

  • Meaningful title, helpful description and a linked NuGet/Home issue
  • [ ] Added tests - No functional changes
  • [ ] Link to an issue or pull request to update docs if this PR changes settings, environment variables, new feature, etc.

@kartheekp-ms
Simplify certificate validation logic
7996af2 
Remove assembly version check when validating certificate fingerprints.
Now, an ArgumentException is thrown if the fingerprint is invalid
or if the hash algorithm is SHA1, regardless of assembly version.
Eliminate logging of warnings for SHA1 when assembly version is
less than 10.
@kartheekp-ms
Add test for insecure cert fingerprint exception
16579ff 
Introduce a new test method `DotnetSign_SignPackageWithInsecureCertificateFingerprint_ThrowsExceptionAsync` in `DotnetSignTests.cs`. This test ensures that signing a package with an insecure SHA1 certificate fingerprint throws an exception. It is configured to run on Windows and Linux platforms only.
@kartheekp-ms
Refactor RunDotnet and update test assertions
817376a 
Changed RunDotnet method in DotnetIntegrationTestFixture.cs
from private to internal for broader access. Updated
DotnetSignTests.cs to check AllOutput for error codes
instead of just Errors, enhancing test validation.
Introduced expectSuccess variable to handle different
outcomes based on hash algorithm, improving test flexibility.
@kartheekp-ms kartheekp-ms marked this pull request as ready for review July 12, 2025 02:16
@kartheekp-ms kartheekp-ms requested a review from a team as a code owner July 12, 2025 02:16
@kartheekp-ms kartheekp-ms requested review from zivkan and martinrrm July 12, 2025 02:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zivkan zivkan Awaiting requested review from zivkan zivkan is a code owner automatically assigned from NuGet/nuget-client-pull-request-auto-assignment

@martinrrm martinrrm Awaiting requested review from martinrrm martinrrm is a code owner automatically assigned from NuGet/nuget-client-pull-request-auto-assignment

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kartheekp-ms