[Repository Signing] Leave nuget.org's repository signature (#417)

Add allow list for certain existing repository signatures

Progress on https://github.com/NuGet/Engineering/issues/1327

Author: loic-sharma

src/Validation.Common.Job/JsonConfigurationJob.cs

@@ -15,7 +15,6 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using NuGet.Jobs.Configuration;
-using NuGet.Jobs.Validation.Storage;
 using NuGet.Services.Configuration;
 using NuGet.Services.KeyVault;
 using NuGet.Services.Logging;

src/Validation.Common.Job/Validation.Common.Job.csproj

@@ -88,7 +88,7 @@
       <Version>1.1.2</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Packaging">
-      <Version>4.7.0-preview4.5067</Version>
+      <Version>4.8.0-preview1.5179</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
       <Version>2.23.0</Version>

src/Validation.Common.Job/Validation.Common.Job.nuspec

@@ -15,7 +15,7 @@
         <dependency id="Microsoft.ApplicationInsights" version="2.2.0" />
         <dependency id="Microsoft.Extensions.DependencyInjection" version="1.1.1" />
         <dependency id="Microsoft.Extensions.Options.ConfigurationExtensions" version="1.1.2" />
-        <dependency id="NuGet.Packaging" version="4.7.0-preview4.5067" />
+        <dependency id="NuGet.Packaging" version="4.8.0-preview1.5179" />
         <dependency id="NuGet.Services.Configuration" version="2.23.0" />
         <dependency id="NuGet.Services.Logging" version="2.23.0" />
         <dependency id="NuGet.Services.Storage" version="2.23.0" />

src/Validation.PackageSigning.ProcessSignature/ISignatureFormatValidator.cs

@@ -0,0 +1,34 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Threading;
+using System.Threading.Tasks;
+using NuGet.Packaging.Signing;
+
+namespace NuGet.Jobs.Validation.PackageSigning.ProcessSignature
+{
+    public interface ISignatureFormatValidator
+    {
+        /// <summary>
+        /// Verify that the package's signature is readable. Does not perform integrity or trust validations.
+        /// </summary>
+        /// <param name="package">The package to validate</param>
+        /// <param name="token"></param>
+        /// <returns>Whether the package's signature is readable.</returns>
+        Task<VerifySignaturesResult> ValidateMinimalAsync(
+            ISignedPackageReader package,
+            CancellationToken token);
+
+        /// <summary>
+        /// Run all validations on the package's signature. This includes integrity and trust validations.
+        /// </summary>
+        /// <param name="package">The package to validate.</param>
+        /// <param name="hasRepositorySignature">If false, skips the certificate allow list verification of the repository signature.</param>
+        /// <param name="token"></param>
+        /// <returns>Whether the package's signature is valid.</returns>
+        Task<VerifySignaturesResult> ValidateFullAsync(
+            ISignedPackageReader package,
+            bool hasRepositorySignature,
+            CancellationToken token);
+    }
+}

src/Validation.PackageSigning.ProcessSignature/Job.cs

@@ -23,10 +23,12 @@ namespace NuGet.Jobs.Validation.PackageSigning.ProcessSignature
     public class Job : SubcriptionProcessorJob<SignatureValidationMessage>
     {
         private const string CertificateStoreConfigurationSectionName = "CertificateStore";
+        private const string ProcessSignatureConfigurationSectionName = "ProcessSignature";
 
         protected override void ConfigureJobServices(IServiceCollection services, IConfigurationRoot configurationRoot)
         {
             services.Configure<CertificateStoreConfiguration>(configurationRoot.GetSection(CertificateStoreConfigurationSectionName));
+            services.Configure<ProcessSignatureConfiguration>(configurationRoot.GetSection(ProcessSignatureConfigurationSectionName));
 
             services.AddTransient<ISubscriptionProcessor<SignatureValidationMessage>, SubscriptionProcessor<SignatureValidationMessage>>();
 
@@ -59,16 +61,8 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
             services.AddTransient<IMessageHandler<SignatureValidationMessage>, SignatureValidationMessageHandler>();
             services.AddTransient<IPackageSigningStateService, PackageSigningStateService>();
             services.AddTransient<ISignaturePartsExtractor, SignaturePartsExtractor>();
-
-            services.AddTransient<ISignatureValidator, SignatureValidator>(p => new SignatureValidator(
-                p.GetRequiredService<IPackageSigningStateService>(),
-                PackageSignatureVerifierFactory.CreateMinimal(),
-                PackageSignatureVerifierFactory.CreateFull(),
-                p.GetRequiredService<ISignaturePartsExtractor>(),
-                p.GetRequiredService<IProcessorPackageFileService>(),
-                p.GetRequiredService<ICorePackageService>(),
-                p.GetRequiredService<ITelemetryService>(),
-                p.GetRequiredService<ILogger<SignatureValidator>>()));
+            services.AddTransient<ISignatureFormatValidator, SignatureFormatValidator>();
+            services.AddTransient<ISignatureValidator, SignatureValidator>();
         }
 
         protected override void ConfigureAutofacServices(ContainerBuilder containerBuilder)

src/Validation.PackageSigning.ProcessSignature/PackageSignatureVerifierFactory.cs

@@ -0,0 +1,24 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+
+namespace NuGet.Jobs.Validation.PackageSigning
+{
+    public class ProcessSignatureConfiguration
+    {
+        /// <summary>
+        /// When a package with a repository signature is being validated, the signing certificate of the repository
+        /// signature must have a SHA-256 fingerprint in this list. If it does not, the repository signature is
+        /// removed.
+        /// </summary>
+        public List<string> AllowedRepositorySigningCertificates { get; set; }
+
+        /// <summary>
+        /// The service index URL to validate against any repository signature. If a package being validated has a
+        /// repository signature and that signature has a V3 service index URL that does not match this value, the
+        /// repository signature is removed.
+        /// </summary>
+        public string V3ServiceIndexUrl { get; set; }
+    }
+}

src/Validation.PackageSigning.ProcessSignature/ProcessSignatureConfiguration.cs

@@ -17,6 +17,12 @@
   "ValidationStorage": {
     "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=nugetdevlegacy;AccountKey=$$Dev-NuGetDevLegacyStorage-Key$$"
   },
+  "ProcessSignature": {
+    "AllowedRepositorySigningCertificates": [
+      "0e5f38f57dc1bcc806d8494f4f90fbcedd988b46760709cbeec6f4219aa6157d"
+    ],
+    "V3ServiceIndexUrl": "https://apidev.nugettest.org/v3/index.json"
+  },
 
   "PackageDownloadTimeout": "00:10:00",
 

src/Validation.PackageSigning.ProcessSignature/Settings/dev.json

@@ -17,6 +17,10 @@
   "ValidationStorage": {
     "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=nugetint0;AccountKey=$$Int-NuGetInt0Storage-Key$$"
   },
+  "ProcessSignature": {
+    "AllowedRepositorySigningCertificates": [],
+    "V3ServiceIndexUrl": "https://apiint.nugettest.org/v3/index.json"
+  },
 
   "PackageDownloadTimeout": "00:10:00",
 

src/Validation.PackageSigning.ProcessSignature/Settings/int.json

@@ -17,6 +17,10 @@
   "ValidationStorage": {
     "ConnectionString": "DefaultEndpointsProtocol=https;AccountName=nugetgallery;AccountKey=$$Prod-NuGetGalleryStorage-Key$$"
   },
+  "ProcessSignature": {
+    "AllowedRepositorySigningCertificates": [],
+    "V3ServiceIndexUrl": "https://api.nuget.org/v3/index.json"
+  },
 
   "PackageDownloadTimeout": "00:10:00",