NuGet Signing

[glennawatson]

At the moment if the owner of a NuGet package is "dotnetfoundation" it's unable to change its signing organisation

This can be problematic for projects who want to do their own signing with their own acquired signing certificate.

I imagine that some projects should have forced signing organisations such as dotnet/runtime etc.

Is it possible to have projects to opt-out, is there is any consequences to removing "dotnetfoundation" as an owner?

Maybe have a different owner for non-core projects where you can host community owned assets?

What about the signing service? I've had problems with certain larger packages where it has been a problem. Also, I know projects such as Silk.net with lots of packages have struggled to get all their packages under the "dotnetfoundation" owner and that has been a pain point for them.

[rprouse]

Some of this has been an issue for NUnit too, so I hear you. The board discussed this very briefly today. No decisions were made, and we need to work through the technical details, but I hope this is something that the maintainers committee can help us with.

[rprouse]

The board did talk about #43 and how we can do it, but we'd like to work with project maintainers on the details, likely as a part of the maintainers committee. We need to work through the technical issues with changing signing. For example, I don't think you can stop signing packages and still release them to NuGet, so projects will need to have their own signing certs.

We should also discuss if there is a difference depending on if the project signed a contribution or assignment agreement? I don't have the answers but I'd like to make sure we get it right rather than rush it.

[glennawatson]

No, you'd have to have some sort of signing certificate if your package has already be signed.

That being said you can't change your signing organisation in NuGet unless that other signing organisation has a valid certificate as well and I had a PM from the NuGet team confirmed there is special logic at the moment for the owner "dotnetfoundation" to prevent it changing the owner.

[glennawatson]

I just want realistically the default behavior of NuGet restored without the special rules in the Nuget.org code base.

[Perksey]

I'm on board with this.

I'm super grateful for the foundation for providing us with a certificate, but we ran into practicality issues with the dotnetfoundation ownership pain point.

We have interim solutions in place, but I agree this shouldn't necessarily be a requirement. Moreover, anyone who code signs a dotnetfoundation-owned package should have the freedom to use their own resources (probably best to eliminate waste in the foundation too!)

I understand that the foundation has project continuity in mind when taking control of resources such as NuGet packages and GitHub repositories, but I don't think the foundation having this access should detriment or affect the project in any way.

Moreover, we already have our own NuGet organisation for managing our packages which continues to be used for new packages via continuous delivery. Considering a considerable number of entire packages are generated, this being a requirement is another thing to keep on top of: there is no APIs for automating adding the dotnetfoundation as an owner, and in my correspondence with the NuGet team there are only plans to create internal tools to facilitate this.

Happy to help with any of this :)

[glennawatson]

Discussed offline with Bill Wagner and some project maintainers (bill did say he's not a domain expert to be fair)

He said one reason the board considered the nuget locking was for ensured identity.

Code signing certificate verify indepenently before they are issued. We have a 503c3 that we use for donations that we pay for our documentation expenses for. This entity is also who we used to for nuget package signing and we would like to take over our own package signing. This process of companies like digicert makes sure that there is a valid entity behind it.

Additionally up until recently each projects organisation nuget account would have a public certificate. This was far easier for new packages to be added to nuget since authentication for project is with their own organisation nuget account and not the dotnet foundation account.

[glennawatson]

At the moment projects have to go back to the old way regardless if they are adding new nuget packages that have never been on nuget.org before.