Add tests for AllowUntrustedSigning flag

- CertificateChainUtilityTests: verify GetCertificateChain with
  allowUntrustedRoot=true returns a chain (UntrustedRoot as warning)
- NuGetSignCommandTest: verify -AllowUntrustedSigning parses to
  SignArgs.AllowUntrustedRoot=true, and default is false
- XplatSignTests: verify --allow-untrusted-signing parses to
  SignArgs.AllowUntrustedRoot=true, and default is false

Co-authored-by: Copilot <[email protected]>

Author: elantiguamsft

test/NuGet.Clients.Tests/NuGet.CommandLine.Test/NuGetSignCommandTest.cs

@@ -505,5 +505,56 @@ private static SignCommand ArrangeSignCommand(string certificateFingerprint, Str
 
             return signCommand;
         }
+
+        [Fact]
+        public void SignCommandArgParsing_AllowUntrustedSigning_SetsAllowUntrustedRoot()
+        {
+            // Arrange
+            var packagePath = @"\\path\package.nupkg";
+            var certificateFingerprint = Sha256Hash;
+            var mockConsole = new Mock<IConsole>();
+            mockConsole.Setup(c => c.Verbosity).Returns(Verbosity.Detailed);
+
+            var signCommand = new SignCommand
+            {
+                Console = mockConsole.Object,
+                CertificateFingerprint = certificateFingerprint,
+                NonInteractive = true,
+                AllowUntrustedSigning = true,
+            };
+
+            signCommand.Arguments.Add(packagePath);
+
+            // Act
+            var signArgs = signCommand.GetSignArgs();
+
+            // Assert
+            Assert.True(signArgs.AllowUntrustedRoot);
+        }
+
+        [Fact]
+        public void SignCommandArgParsing_DefaultAllowUntrustedSigning_IsFalse()
+        {
+            // Arrange
+            var packagePath = @"\\path\package.nupkg";
+            var certificateFingerprint = Sha256Hash;
+            var mockConsole = new Mock<IConsole>();
+            mockConsole.Setup(c => c.Verbosity).Returns(Verbosity.Detailed);
+
+            var signCommand = new SignCommand
+            {
+                Console = mockConsole.Object,
+                CertificateFingerprint = certificateFingerprint,
+                NonInteractive = true,
+            };
+
+            signCommand.Arguments.Add(packagePath);
+
+            // Act
+            var signArgs = signCommand.GetSignArgs();
+
+            // Assert
+            Assert.False(signArgs.AllowUntrustedRoot);
+        }
     }
 }

test/NuGet.Core.FuncTests/NuGet.XPlat.FuncTest/XplatSignTests.cs

@@ -485,6 +485,46 @@ public void SignCommandArgParsing_DoesNotLogAWarningForSecureCertificateFingerpr
                 });
         }
 
+        [Fact]
+        public void SignCommandArgParsing_AllowUntrustedSigning_SetsAllowUntrustedRoot()
+        {
+            var packagePath = @"\\path\package.nupkg";
+            var certificateFingerprint = Sha256Hash;
+
+            SignCommandArgs(
+                (mockCommandRunner, testApp, getLogLevel, getParsedArg, _) =>
+                {
+                    //Arrange
+                    var argList = new List<string>() { "sign", packagePath, "--certificate-fingerprint", certificateFingerprint, "--allow-untrusted-signing" };
+
+                    //Act
+                    testApp.Execute(argList.ToArray());
+
+                    //Assert
+                    Assert.True(getParsedArg().AllowUntrustedRoot);
+                });
+        }
+
+        [Fact]
+        public void SignCommandArgParsing_DefaultAllowUntrustedSigning_IsFalse()
+        {
+            var packagePath = @"\\path\package.nupkg";
+            var certificateFingerprint = Sha256Hash;
+
+            SignCommandArgs(
+                (mockCommandRunner, testApp, getLogLevel, getParsedArg, _) =>
+                {
+                    //Arrange
+                    var argList = new List<string>() { "sign", packagePath, "--certificate-fingerprint", certificateFingerprint };
+
+                    //Act
+                    testApp.Execute(argList.ToArray());
+
+                    //Assert
+                    Assert.False(getParsedArg().AllowUntrustedRoot);
+                });
+        }
+
         private void SignCommandArgs(Action<Mock<ISignCommandRunner>, CommandLineApplication, Func<LogLevel>, Func<SignArgs>, TestCommandOutputLogger> verify)
         {
             // Arrange

test/NuGet.Core.Tests/NuGet.Packaging.Test/SigningTests/CertificateChainUtilityTests.cs

@@ -144,6 +144,33 @@ public void GetCertificateChain_WithUntrustedSelfIssuedCertificate_ReturnsChain(
             }
         }
 
+        [Fact]
+        public void GetCertificateChain_WithUntrustedRoot_AllowUntrustedRoot_ReturnsChain()
+        {
+            using (X509ChainHolder chainHolder = X509ChainHolder.CreateForCodeSigning())
+            using (var rootCertificate = SigningTestUtility.GetCertificate("root.crt"))
+            using (var intermediateCertificate = SigningTestUtility.GetCertificate("intermediate.crt"))
+            using (var leafCertificate = SigningTestUtility.GetCertificate("leaf.crt"))
+            {
+                var chain = chainHolder.Chain2;
+                var extraStore = new X509Certificate2Collection() { rootCertificate, intermediateCertificate };
+                var logger = new TestLogger();
+
+                using (var certificateChain = CertificateChainUtility.GetCertificateChain(
+                    leafCertificate,
+                    extraStore,
+                    logger,
+                    CertificateType.Signature,
+                    allowUntrustedRoot: true))
+                {
+                    Assert.True(certificateChain.Count > 0);
+                }
+
+                Assert.Equal(0, logger.Errors);
+                SigningTestUtility.AssertUntrustedRoot(logger.LogMessages, LogLevel.Warning);
+            }
+        }
+
         [Fact]
         public void GetCertificateChain_WhenCertChainNull_Throws()
         {