Skip to content

[release/6.0] Ignore non-X509 certificates in SignedCms #67462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 13, 2022
Merged

[release/6.0] Ignore non-X509 certificates in SignedCms #67462

merged 2 commits into from
Apr 13, 2022

Conversation

@bartonjs
Copy link
Member

@bartonjs bartonjs commented Apr 1, 2022

This is a backport of #64348 at the request of NuGet (cc @dtivel).

Customer Impact

.NET fails to understand RFC 3161 timestamps from Microsoft timestamping services, including Azure Code Signing timestamping. There is a risk that signed NuGet packages would fail to verify with such a timestamp.

Testing

Automated test included with the PR.

Risk

Low risk. This fix has been in dotnet/runtime:main for over 2 months.

bartonjs added 2 commits April 1, 2022 14:18
@bartonjs
Ignore non-X509 certificates in SignedCms
5bddd22 
This allows for AttributeCertificateV1/AttributeCertificateV2/OtherCertificate
entries in the SignedCms without causing a decode error.  That data is not presented
to callers via the SignedCms object, but the behavior is consistent with SignedCms on
.NET Framework and its underlying WinCryptMsg counterpart.
@bartonjs
Add packaging changes for servicing
dfd1111
@bartonjs bartonjs added Servicing-consider Issue for next servicing release review area-System.Security labels Apr 1, 2022
@bartonjs bartonjs added this to the 6.0.x milestone Apr 1, 2022
@ghost ghost assigned bartonjs Apr 1, 2022
@ghost
Copy link

ghost commented Apr 1, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

This is a backport of #64348 at the request of NuGet (cc @dtivel).

Customer Impact

.NET fails to understand RFC 3161 timestamps from Microsoft timestamping services, including Azure Code Signing timestamping. There is a risk that signed NuGet packages would fail to verify with such a timestamp.

Testing

Automated test included with the PR.

Risk

Low risk. This fix has been in dotnet/runtime:main for over 2 months.

Author: bartonjs
Assignees: -
Labels:

Servicing-consider, area-System.Security
Milestone: 6.0.x

@leecow leecow added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Apr 5, 2022
@leecow leecow modified the milestones: 6.0.x, 6.0.5 Apr 5, 2022
@carlossanlop carlossanlop merged commit 7e2e3c9 into dotnet:release/6.0 Apr 13, 2022
@ghost ghost locked as resolved and limited conversation to collaborators May 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@carlossanlop carlossanlop carlossanlop approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bartonjs bartonjs

Labels

area-System.Security Servicing-approved Approved for servicing release

Projects

None yet

Milestone

6.0.5

Development

Successfully merging this pull request may close these issues.

3 participants

@bartonjs @carlossanlop @leecow