Support portable NuGet signing with Artifact Signing#11
Merged
Marc-André Moreau (mamoreau-devolutions) merged 5 commits intoMay 24, 2026
Merged
Conversation
Enable portable Artifact Signing responses to be consumed on Linux by accepting PEM/DER/base64/PKCS#7 signingCertificate payloads and selecting the actual signing cert from PKCS#7 signer info or an unambiguous leaf certificate bag. Make NuGet package signing produce verifiable packages by normalizing ZIP metadata, embedding CMS id-data content, and using the standard id-aa-timeStampToken timestamp attribute while preserving Authenticode timestamp behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add the NuGet author signed-attribute profile needed for publisher metadata: signing-time, commitment-type proof-of-origin, and signing-certificate-v2. Remote signing now obtains the signer certificate before hashing CMS signed attributes so the signing-certificate-v2 ESSCertIDv2 value is part of the signed payload. This makes Linux-generated NuGet signatures classify as Author signatures in NuGet tooling, which enables NuGetPackageExplorer to display the Publisher UI for packages signed through Azure Artifact Signing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The NuGet author-signature path needs a helper that assembles CMS SignedData from explicit content, digest, signer material, signature bytes, detached-content behavior, and prebuilt signed attributes. Allow Clippy's argument-count lint for this narrowly scoped helper so the portable-clippy CI job passes without changing behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Import and clean up PR #10's Linux Azure Artifact Signing NuGet work by hardening certificate parsing, making CMS content/timestamp modes explicit, fixing portable NuGet split-signing semantics, and expanding deterministic package signing coverage. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use stable NuGet author attributes for the two-step external signing CLI path so the prehash and assembled CMS reconstruct the same authenticated attributes. Keep one-shot signing on timestamped author attributes and extend tests around the assembled prehash. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Marc-André Moreau (mamoreau-devolutions)
merged commit fda60ff
into
master
36 checks passed
Marc-André Moreau (mamoreau-devolutions)
deleted the
mamoreau-devolutions/nuget-signing-pr
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This imports the useful work from #10 and cleans it up for a reviewable implementation of portable/Linux NuGet package signing with Azure Artifact Signing.
signingCertificatepayloads as DER, PEM, nested base64, or PKCS#7 certificate bundles, selecting the actual signer instead of relying on certificate order.signature.p7sCMS with attachedid-data, NuGet author attributes, and PKCS#9 RFC3161 timestamp attributes while preserving Authenticode timestamp behavior for companion signaturesValidation
cargo fmt --all --checkcargo clippy --workspace --all-targets --locked -- -D warningscargo test --workspace --locked --quiet