Enable NuGet signature verification for aspire-managed on Linux#16049
Conversation
|
/deployment-test |
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16049Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16049" |
There was a problem hiding this comment.
Pull request overview
This PR enables NuGet package signature verification for aspire-managed on Linux to align aspire restore behavior with the .NET SDK by ensuring the verification env var is set for spawned processes and providing trusted root certificates to NuGet inside the single-file aspire-managed host.
Changes:
- Add a CLI-side enabler to default
DOTNET_NUGET_SIGNATURE_VERIFICATION=trueon Linux for spawnedaspire-managedprocesses (with a feature flag + user override tofalse). - Embed the .NET SDK’s trusted root PEM certificates into
aspire-managedand initialize NuGet’s trust store via reflection/DispatchProxy at restore time. - Adjust tests (bundle selection behavior in deployment E2E; update unit tests for the
BundleNuGetServiceconstructor change).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Aspire.Deployment.EndToEnd.Tests/TypeScriptExpressDeploymentTests.cs | Adjusts CI version-selection flow to pick PR build when running under a PR. |
| tests/Aspire.Cli.Tests/Projects/PrebuiltAppHostServerTests.cs | Updates test construction to match new BundleNuGetService constructor signature. |
| src/Aspire.Managed/NuGet/TrustedRootsHelper.cs | Adds Linux-only trust store initialization from embedded PEM resources using reflection/DispatchProxy. |
| src/Aspire.Managed/NuGet/Commands/RestoreCommand.cs | Invokes trust store initialization before running NuGet restore. |
| src/Aspire.Managed/Aspire.Managed.csproj | Embeds SDK trustedroots *.pem files as assembly resources with stable logical names. |
| src/Aspire.Cli/NuGet/NuGetSignatureVerificationEnabler.cs | Adds feature-flagged env-var defaulting for spawned aspire-managed processes on Linux. |
| src/Aspire.Cli/NuGet/BundleNuGetService.cs | Plumbs feature flags into aspire-managed process env vars for restore/layout invocations. |
| src/Aspire.Cli/KnownFeatures.cs | Registers the new nugetSignatureVerificationEnabled feature flag (default: true). |
|
Logs shouldn't be using string interpolation. There's are overloads for Log{level} that take an exception as the first argument and a message. |
|
/deployment-test |
|
🚀 Deployment tests starting on PR #16049... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
JamesNK
left a comment
JamesNK
left a comment
There was a problem hiding this comment.
2 comments on TrustedRootsHelper robustness (1 medium, 1 low).
| var chainFactoryInterfaceType = nugetPackagingAssembly.GetType("NuGet.Packaging.Signing.IX509ChainFactory"); | ||
| var chainInterfaceType = nugetPackagingAssembly.GetType("NuGet.Packaging.Signing.IX509Chain"); |
There was a problem hiding this comment.
😬
Have we talked with NuGet team about making these public?
There was a problem hiding this comment.
We need NuGet/NuGet.Client#7197 in order to not use reflection. It hasn't been released yet.
When it is, we can write the files to a folder next to us, and won't need this reflection.
There was a problem hiding this comment.
Is there an issue to track fixing the reflection?
There was a problem hiding this comment.
Set DOTNET_NUGET_SIGNATURE_VERIFICATION=true when spawning aspire-managed processes on Linux, mirroring the .NET SDK's NuGetSignatureVerificationEnabler behavior. Embed the SDK's trusted root PEM certificates (codesignctl.pem, timestampctl.pem) as resources in Aspire.Managed, and initialize NuGet's X509TrustStore via reflection before running restore operations. This is needed because aspire-managed is a single-file app where NuGet's fallback certificate bundle discovery (assembly-relative path) doesn't work. Fixes microsoft#15282 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
eerhardt
force-pushed
the
NuGetValidationRedux
branch
from
dd13e4c to
3a02a0d
Compare
|
/deployment-test |
|
🚀 Deployment tests starting on PR #16049... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
|
closing and reopening to try to trigger the checks. |
|
Re-running the failed jobs in the CI workflow for this pull request because 1 job was identified as retry-safe transient failures in the CI run attempt.
|
|
/deployment-test |
|
🚀 Deployment tests starting on PR #16049... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
|
/deployment-test |
|
🚀 Deployment tests starting on PR #16049... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
Python templates now use TypeScript AppHost (apphost.ts) not C# single-file AppHost (apphost.cs). Updated PythonFastApi, AppServicePython, and AcrPurgeTask tests to modify apphost.ts with the correct TypeScript API calls. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
/deployment-test |
|
🚀 Deployment tests starting on PR #16049... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
|
❌ Deployment E2E Tests failed — 26 passed, 4 failed, 0 cancelled View test results and recordings
|
Description
Enable NuGet package signature verification for
aspire-managedon Linux, matching the .NET SDK's behavior.Currently,
aspire restoredoes not verify NuGet package signatures because:DOTNET_NUGET_SIGNATURE_VERIFICATIONenvironment variable is not set when spawningaspire-managedprocessesaspire-managedThis PR fixes both issues:
NuGetSignatureVerificationEnabler(in Aspire.Cli): SetsDOTNET_NUGET_SIGNATURE_VERIFICATION=trueon Linux when spawning aspire-managed processes, mirroring the .NET SDK'sNuGetSignatureVerificationEnabler. Respects user override tofalse.Embedded PEM certificates (in Aspire.Managed.csproj): Embeds the SDK's
codesignctl.pemandtimestampctl.pemtrusted root certificates as assembly resources.TrustedRootsHelper(in Aspire.Managed): Extracts embedded PEM resources and uses reflection to initialize NuGet'sX509TrustStorewith the proper certificate chain factories. Reflection is needed becauseaspire-managedis a single-file app where NuGet's fallback certificate bundle discovery (assembly-relative path) doesn't work sinceAssembly.Locationreturns empty string. (We need Aot compatible: NuGet.Packaging NuGet/NuGet.Client#7197 in order to not use reflection. Will update when that is released.)Porting #15294 to main after it wasn't taken in release/13.2.
Fixes #15282
Checklist