NuGet sign command needs to support updated private key storage requirements
#11948
Assignees
Labels
Functionality:Signing
Priority:2
Issues for the current backlog.
Triage:NeedsDesignSpec
Type:Feature
Comments
|
Related issue: #11930 |
nkolev92
added
Priority:2
nkolev92
changed the title
sign command needs to support updated private key storage requirementssign command needs to support updated private key storage requirements
|
Team triage: Assigning to @clairernovotny for now for the initial discussions. |
|
Are there any updates to this? It surprises me a bit that we still cannot sign NuGet packages due to the requirements of having the private key in a file. |
|
This sounds similar to the issue ( #11437 ) I wrote. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NuGet Product Used
NuGet.exe
Product Version
latest
Worked before?
No response
Impact
Other
Repro Steps & Context
The current version of CA/B Forum's baseline requirements for publicly trusted code signing certificates requires that starting November 15, 2022, that private keys remain entirely within a hardware crypto module or a cloud-based hardware crypto module. This means that NuGet's
signcommand, which supports private keys in a local certificate store or a PFX file will be impacted by this change. It may be difficult for package authors to sign their packages, especially in CI/CD pipelines.See section 6.2.7.4 "Subscriber Private Key protection and verification" in Baseline Requirements for the Issuance
and Management of Publicly‐Trusted Code Signing Certificates, version 3.0 (June 22, 2022) for details.
CC @clairernovotny, @aortiz-msft
Verbose Logs
No response
The text was updated successfully, but these errors were encountered: