{"id":140,"date":"2018-12-05T00:00:00","date_gmt":"2018-12-05T08:00:00","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/nuget\/lock-down-your-dependencies-using-configurable-trust-policies"},"modified":"2018-12-05T00:00:00","modified_gmt":"2018-12-05T08:00:00","slug":"lock-down-your-dependencies-using-configurable-trust-policies","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/lock-down-your-dependencies-using-configurable-trust-policies\/","title":{"rendered":"Lock down your dependencies using configurable trust policies"},"content":{"rendered":"

For the past several months we have focused on various features to improve package security and trust. Around a year back, we had announced our plans on various signing functionalities<\/a> that we have been implementing at a steady pace. We enabled package author signing<\/a> and NuGet.org repository signing<\/a> earlier this year. Continuing on the signing journey, we are happy to announce configurable client policies to secure developer environments for packages. With this feature, developers can now customize their environment to define package authors and\/or package repositories they trust thereby allowing only trusted packages to be installed. This information is stored in the nuget.config<\/code> file and can be configured to match your needs.<\/p>\n

How to lock down your environment<\/h2>\n

Turn on require<\/code> mode<\/h3>\n

You can enforce all your package dependencies to be signed just by enabling the require<\/code> mode.<\/p>\n

nuget.exe config -set signatureValidationMode=require<\/code><\/pre>\n
Configure trusted package repositories<\/h3>\n
You can then define your trust boundaries by specifying trustedSigners<\/code>. For example, * You may just want to trust all packages available in NuGet.org:<\/p>\n
 nuget.exe trusted-signers add -name NuGet.org -serviceindex https:\/\/api.nuget.org\/v3\/index.json<\/code><\/pre>\n
If you want to trust packages from specific NuGet authors\/accounts, you can specify the collection of owners:<\/p>\n
 nuget.exe trusted-signers add -name NuGet.org -serviceindex https:\/\/api.nuget.org\/v3\/index.json -owners microsoft;nuget<\/code><\/pre>\n
\n
NuGet.org adds repository signature to all new packages. We have started signing existing packages and we will announce when we are done. Subscribe to NuGet\/Announcements<\/a> repo for latest NuGet updates.<\/p>\n<\/blockquote>\n
Configure trusted package authors<\/h3>\n
You can configure trust based on the author signature by specifying the certificate fingerprint in SHA256. You can get the SHA256 fingerprint from any signed package using the verify command<\/a>. This enables you to consume packages from this trusted author irrespective of the package repository\/source.<\/p>\n
nuget.exe trusted-signers add -name Microsoft -certificateFingerprint 3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE<\/code><\/pre>\n
\n
You can also add trusted signers, author or repository, by using an existing signed package. For more information see the trusted-signers<\/a> command reference.<\/p>\n<\/blockquote>\n
Best practices<\/h3>\n
Share your nuget.config<\/code><\/h4>\n
nuget.config<\/code> is a great option to share your settings across all your team members and even CI machines. If you keep your nuget.config<\/code> file with the solution folder, install and restore operations will always use these settings. And this file can be easily shared along with your source code. To create a nuget.config<\/code> file you can use the dotnet new nugetconfig<\/code><\/a> from your solution root folder.<\/p>\n
Use a different global-packages folder<\/h4>\n
If you have different repos\/solutions on your machine with different trust configurations, you must isolate the global-packages folder for each solution. This is because NuGet does trust validation only on package extraction to the globalPackagesFolder<\/code> i.e. if a package is already present in the globalPackagesFolder<\/code>, there is no check performed.<\/p>\n
Example Config File<\/h3>\n
The following nuget.config<\/code> file uses require<\/code> mode and trusts packages in NuGet.org from the Microsoft<\/em> account. Additionally, it also trusts packages signed with a private certificate.<\/p>\n
\n
Note that the global package folder has also been customized.<\/p>\n<\/blockquote>\n
<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n\n  <config>\n    <add key=\"signatureValidationMode\" value=\"require\" \/>    \n    <add key=\"globalPackagesFolder\" value=\"%USERPROFILE%\\.nuget\\TrustedPackages\" \/>\n  <\/config>\n\n <packageSources>\n    <clear \/>\n    <add key=\"local\" value=\"\\\\myserver\\packages\\\" \/>\n    <add key=\"nuget\" value=\"https:\/\/api.nuget.org\/v3\/index.json\" \/>\n <\/packageSources>\n\n <trustedSigners> \n  <author name=\"MyCompanyCert\">\n    <certificate fingerprint=\"F23175B9B052CE9C9D7E1546316F48A422DA3051FC79F4DB58ED5D78E372CEEC\" \n                 hashAlgorithm=\"SHA256\" \n                 allowUntrustedRoot=\"true\" \/> <!-- Enable private certificates-->\n  <\/author>\n\n  <repository name=\"nuget.org\" serviceIndex=\"https:\/\/api.nuget.org\/v3\/index.json\">\n    <certificate fingerprint=\"0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D\" \n                 hashAlgorithm=\"SHA256\" \n                 allowUntrustedRoot=\"false\" \/>\n    <owners>Microsoft<\/owners>\n  <\/repository>\n <\/trustedSigners>\n<\/configuration>\n<\/code><\/pre>\n
Reference documentation<\/h2>\n
Here are the docs for configuring package signature requirements<\/a>, the nuget.config trustedSigners section<\/a>, and the trusted-signers<\/a> command.<\/p>\n
Conclusion<\/h2>\n
Defining trust policies enable additional security checks to protect your entire dependency graph, not only for packages obtained from NuGet.org but also from any other package repository. As long as all the packages you consume are signed you can enable the require<\/code> mode to detect any tampered or unsigned package. It lets you control the authors and repositories that you trust. For more information on how to protect your dependencies with signed packages, look at our documentation<\/a>. If you have any feedback or encounter any issues while using this feature, do reach out to us by creating a GitHub issue<\/a> or by tagging @nuget<\/a> in your tweets.<\/p>\n","protected":false},"excerpt":{"rendered":"
For the past several months we have focused on various features to improve package security and trust. Around a year back, we had announced our plans on various signing functionalities that we have been implementing at a steady pace. We enabled package author signing and NuGet.org repository signing earlier this year. Continuing on the signing […]<\/p>\n","protected":false},"author":636,"featured_media":611,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7874,326],"tags":[],"class_list":["post-140","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-nuget","category-security"],"acf":[],"blog_post_summary":"
For the past several months we have focused on various features to improve package security and trust. Around a year back, we had announced our plans on various signing functionalities that we have been implementing at a steady pace. We enabled package author signing and NuGet.org repository signing earlier this year. Continuing on the signing […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/636"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=140"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/140\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/611"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}