andersnm/ExcelNumberFormat

Excelnumberformat 1.1.0 valid date expired (Valid from: 2018-04-10 08:00:00 to 2021-04-14 20:00:00)

shps951023 opened this issue · 6 comments

PS C:\Users\Wei> dotnet nuget verify "C:\Users\Wei\Downloads\excelnumberformat.1.1.0 (1).nupkg"

Verifying ExcelNumberFormat.1.1.0

Signature type: Repository
  Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
  SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
  Valid from: 2018-04-10 08:00:00 to 2021-04-14 20:00:00

Hi @andersnm,
I found ExcelNumberFormat.1.1.0 valid date expired, could you upload new signature for nuget? thanks!

Hi @shps951023, are you having any real problems caused by this?

Hi @andersnm ,

My project https://github.com/shps951023/MiniExcel use your project
And this will cause error NU3037 and it can't pass government level checking

NU3037 is raised as a warning. When NuGet’s signature validation mode is set to require, or when running the nuget verify -signatures command

Thank you for your reply.

Hi,

Is it a long time since you downloaded that .nuget file? After a cursory check it sounds like a client issue, and I would be surprised if all nuget packages somehow expired every couple years.

NuGet/Announcements#58
https://devblogs.microsoft.com/nuget/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-march-15th-2021/
https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/

Hi @andersnm ,
For all clients, and I downloaded from NuGet official website and tested yesterday, you can use below CLI to test

dotnet nuget verify  "C:\Users\Wei\Downloads\excelnumberformat.1.1.0.nupkg"

image

Default clients will not use nuget verify -signatures, so system will ignore this error. But high level security company like government level they will use it, and it will upgrade to build error.

Hi @shps951023,

Are you really getting the NU3037 warning/error? Or did you see the expiration date and then assume it will cause NU3037?

Per this ticket, NuGet/Announcements#58, the Nuget client should fallback to "a timestamp for verification", which is what seems to happen for me:

>nuget verify -signatures "excelnumberformat.1.1.0 (1).nupkg"

Verifying ExcelNumberFormat.1.1.0
...

Signature Hash Algorithm: SHA256

Signature type: Repository
Service index: https://api.nuget.org/v3/index.json
Owners: andersnm
Verifying the repository primary signature with certificate:

  Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
  SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
  SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
  Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Valid from: 4/10/2018 2:00:00 AM to 4/14/2021 2:00:00 PM
Timestamp: 10/2/2020 2:09:17 PM

Verifying repository primary signature's timestamp with timestamping service certificate:
  Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0
  SHA256 hash: C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8
  Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 12/23/2017 1:00:00 AM to 3/23/2029 12:59:59 AM


Successfully verified package 'ExcelNumberFormat.1.1.0'.

The ticket also mentions that packages are "automatically re-signed by NuGet.org with an updated certificate", but the cert in the .nuget is indeed still expired.

Seemingly the "fix" is to simply reupload the package, so that it gets signed with the new certificate, but nowhere can I find a rationale or warning that all package authors need to reupload their packages every few years. The same issue would affect all other packages uploaded to Nuget before 15. March 2021, f.ex:

https://www.nuget.org/packages/Moq/
https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/
https://www.nuget.org/packages/AutoMapper/

Are you really getting the NU3037 warning/error? Or did you see the expiration date and then assume it will cause NU3037?

Yes, test environment : mac+dotnet core 3.1

Per this ticket, NuGet/Announcements#58, the Nuget client should fallback to "a timestamp for verification", which is what seems to happen for me:

Thanks, if I use new version and the problem can be resolved in my PC, but if customer PC can't upgrade dotnet it'll have the same problem.

Best regards