NuGet
diff --git a/‎src/Validation.PackageSigning.ExtractAndValidateSignature/Job.cs‎
Lines changed: 7 additions & 2 deletions b/‎src/Validation.PackageSigning.ExtractAndValidateSignature/Job.cs‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎src/Validation.PackageSigning.ExtractAndValidateSignature/MinimalSignatureVerificationProvider.cs‎
Lines changed: 31 additions & 0 deletions b/‎src/Validation.PackageSigning.ExtractAndValidateSignature/MinimalSignatureVerificationProvider.cs‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎src/Validation.PackageSigning.ExtractAndValidateSignature/PackageSignatureVerifierFactory.cs‎
Lines changed: 27 additions & 1 deletion b/‎src/Validation.PackageSigning.ExtractAndValidateSignature/PackageSignatureVerifierFactory.cs‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs‎
Lines changed: 70 additions & 18 deletions b/‎src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs‎
Lines changed: 70 additions & 18 deletions
diff --git a/‎src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj‎
Lines changed: 1 addition & 0 deletions b/‎src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/SignatureValidatorFacts.cs‎
Lines changed: 83 additions & 11 deletions b/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/SignatureValidatorFacts.cs‎
Lines changed: 83 additions & 11 deletions
@@ -184,10 +184,15 @@ private void ConfigureJobServices(IServiceCollection services, IConfigurationRoo
             services.AddTransient<IBrokeredMessageSerializer<SignatureValidationMessage>, SignatureValidationMessageSerializer>();
             services.AddTransient<IMessageHandler<SignatureValidationMessage>, SignatureValidationMessageHandler>();
             services.AddTransient<IPackageSigningStateService, PackageSigningStateService>();
-            services.AddTransient<ISignatureValidator, SignatureValidator>();
             services.AddTransient<ISignaturePartsExtractor, SignaturePartsExtractor>();
 
-            services.AddTransient(p => PackageSignatureVerifierFactory.Create());
+            services.AddTransient<ISignatureValidator, SignatureValidator>(p => new SignatureValidator(
+                p.GetRequiredService<IPackageSigningStateService>(),
+                PackageSignatureVerifierFactory.CreateMinimal(),
+                PackageSignatureVerifierFactory.CreateFull(),
+                p.GetRequiredService<ISignaturePartsExtractor>(),
+                p.GetRequiredService<IEntityRepository<Certificate>>(),
+                p.GetRequiredService<ILogger<SignatureValidator>>()));
 
             services.AddSingleton(p =>
             {
 
@@ -0,0 +1,31 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using NuGet.Packaging.Signing;
+
+namespace NuGet.Jobs.Validation.PackageSigning.ExtractAndValidateSignature
+{
+    /// <summary>
+    /// A signature verification provider which performs no verification at all. It allows amount of verification to be
+    /// done by <see cref="IPackageSignatureVerifier"/> before performing more in-depth analysis.
+    /// </summary>
+    public class MinimalSignatureVerificationProvider : ISignatureVerificationProvider
+    {
+        public Task<PackageVerificationResult> GetTrustResultAsync(
+            ISignedPackageReader package,
+            Signature signature,
+            SignedPackageVerifierSettings settings,
+            CancellationToken token)
+        {
+            var result = new SignedPackageVerificationResult(
+                SignatureVerificationStatus.Trusted,
+                signature,
+                Enumerable.Empty<SignatureLog>());
+
+            return Task.FromResult<PackageVerificationResult>(result);
+        }
+    }
+}
@@ -10,7 +10,33 @@ namespace NuGet.Jobs.Validation.PackageSigning.ExtractAndValidateSignature
     /// </summary>
     public static class PackageSignatureVerifierFactory
     {
-        public static IPackageSignatureVerifier Create()
+        /// <summary>
+        /// Initializes a verifier that only verifies the format of the signature. No integrity or trust checks are
+        /// performed.
+        /// </summary>
+        public static IPackageSignatureVerifier CreateMinimal()
+        {
+            var verificationProviders = new[]
+            {
+                new MinimalSignatureVerificationProvider(),
+            };
+
+            var settings = new SignedPackageVerifierSettings(
+                allowUnsigned: true,
+                allowUntrusted: false, // Invalid format of the signature uses this flag to determine success.
+                allowIgnoreTimestamp: true,
+                failWithMultipleTimestamps: false,
+                allowNoTimestamp: true);
+
+            return new PackageSignatureVerifier(
+                verificationProviders,
+                settings);
+        }
+
+        /// <summary>
+        /// Initializes a verifier that performs all integrity and trust checks required by the server.
+        /// </summary>
+        public static IPackageSignatureVerifier CreateFull()
         {
             var verificationProviders = new[]
             {
 
@@ -19,20 +19,23 @@ namespace NuGet.Jobs.Validation.PackageSigning.ExtractAndValidateSignature
     public class SignatureValidator : ISignatureValidator
     {
         private readonly IPackageSigningStateService _packageSigningStateService;
-        private readonly IPackageSignatureVerifier _packageSignatureVerifier;
+        private readonly IPackageSignatureVerifier _minimalPackageSignatureVerifier;
+        private readonly IPackageSignatureVerifier _fullPackageSignatureVerifier;
         private readonly ISignaturePartsExtractor _signaturePartsExtractor;
         private readonly IEntityRepository<Certificate> _certificates;
         private readonly ILogger<SignatureValidator> _logger;
 
         public SignatureValidator(
             IPackageSigningStateService packageSigningStateService,
-            IPackageSignatureVerifier packageSignatureVerifier,
+            IPackageSignatureVerifier minimalPackageSignatureVerifier,
+            IPackageSignatureVerifier fullPackageSignatureVerifier,
             ISignaturePartsExtractor signaturePartsExtractor,
             IEntityRepository<Certificate> certificates,
             ILogger<SignatureValidator> logger)
         {
             _packageSigningStateService = packageSigningStateService ?? throw new ArgumentNullException(nameof(packageSigningStateService));
-            _packageSignatureVerifier = packageSignatureVerifier ?? throw new ArgumentNullException(nameof(packageSignatureVerifier));
+            _minimalPackageSignatureVerifier = minimalPackageSignatureVerifier ?? throw new ArgumentNullException(nameof(minimalPackageSignatureVerifier));
+            _fullPackageSignatureVerifier = fullPackageSignatureVerifier ?? throw new ArgumentNullException(nameof(fullPackageSignatureVerifier));
             _signaturePartsExtractor = signaturePartsExtractor ?? throw new ArgumentNullException(nameof(signaturePartsExtractor));
             _certificates = certificates ?? throw new ArgumentNullException(nameof(certificates));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
@@ -77,7 +80,20 @@ private async Task<SignatureValidatorResult> HandleSignedPackageAsync(
             SignatureValidationMessage message,
             CancellationToken cancellationToken)
         {
-            // Block packages that don't have exactly one signature.
+            // First, detect format errors with a minimal verification. This doesn't even check package integrity. The
+            // minimal verification is expected to swallow any sort of signature format exception.
+            var invalidFormatResult = await GetVerifyResult(
+                _minimalPackageSignatureVerifier,
+                packageKey,
+                signedPackageReader,
+                message,
+                cancellationToken);
+            if (invalidFormatResult != null)
+            {
+                return invalidFormatResult;
+            }
+
+            // We now know we can safely read the signature.
             var packageSignature = await signedPackageReader.GetSignatureAsync(cancellationToken);
 
             // Block packages with any unknown signing certificates.
@@ -89,7 +105,7 @@ private async Task<SignatureValidatorResult> HandleSignedPackageAsync(
                 .GetAll()
                 .Where(c => packageThumbprint == c.Thumbprint)
                 .Any();
-            
+
             if (!isKnownCertificate)
             {
                 _logger.LogInformation(
@@ -105,8 +121,55 @@ private async Task<SignatureValidatorResult> HandleSignedPackageAsync(
                     ValidationIssue.PackageIsSigned);
             }
 
+            if (packageSignature.Type != SignatureType.Author)
+            {
+                _logger.LogInformation(
+                    "Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} since it has a non-author signature: {SignatureType}",
+                    message.PackageId,
+                    message.PackageVersion,
+                    message.ValidationId,
+                    packageSignature.Type);
+
+                return await RejectAsync(
+                    packageKey,
+                    message,
+                    ValidationIssue.OnlyAuthorSignaturesSupported);
+            }
+
             // Call the "verify" API, which does the main logic of signature validation.
-            var verifyResult = await _packageSignatureVerifier.VerifySignaturesAsync(
+            var failureResult = await GetVerifyResult(
+                _fullPackageSignatureVerifier,
+                packageKey,
+                signedPackageReader,
+                message,
+                cancellationToken);
+            if (failureResult != null)
+            {
+                return failureResult;
+            }
+
+            _logger.LogInformation(
+                "Signed package {PackageId} {PackageVersion} for validation {ValidationId} is valid with certificate thumbprint: {PackageThumbprint}",
+                message.PackageId,
+                message.PackageVersion,
+                message.ValidationId,
+                packageThumbprint);
+
+            // Extract all of the signature artifacts and persist them.
+            await _signaturePartsExtractor.ExtractAsync(signedPackageReader, cancellationToken);
+
+            // Mark this package as signed.
+            return await AcceptAsync(packageKey, message, PackageSigningStatus.Valid);
+        }
+
+        private async Task<SignatureValidatorResult> GetVerifyResult(
+            IPackageSignatureVerifier verifier,
+            int packageKey,
+            ISignedPackageReader signedPackageReader,
+            SignatureValidationMessage message,
+            CancellationToken cancellationToken)
+        {
+            var verifyResult = await verifier.VerifySignaturesAsync(
                 signedPackageReader,
                 cancellationToken);
             if (!verifyResult.Valid)
@@ -140,19 +203,8 @@ private async Task<SignatureValidatorResult> HandleSignedPackageAsync(
                         .Select(x => new ClientSigningVerificationFailure(x.Code.ToString(), x.Message))
                         .ToArray());
             }
-            
-            _logger.LogInformation(
-                "Signed package {PackageId} {PackageVersion} for validation {ValidationId} is valid with certificate thumbprint: {PackageThumbprint}",
-                message.PackageId,
-                message.PackageVersion,
-                message.ValidationId,
-                packageThumbprint);
-
-            // Extract all of the signature artifacts and persist them.
-            await _signaturePartsExtractor.ExtractAsync(signedPackageReader, cancellationToken);
 
-            // Mark this package as signed.
-            return await AcceptAsync(packageKey, message, PackageSigningStatus.Valid);
+            return null;
         }
 
         private async Task<SignatureValidatorResult> RejectAsync(
 
@@ -45,6 +45,7 @@
     <Compile Include="HashedCertificate.cs" />
     <Compile Include="ISignaturePartsExtractor.cs" />
     <Compile Include="ISignatureValidator.cs" />
+    <Compile Include="MinimalSignatureVerificationProvider.cs" />
     <Compile Include="PackageSignatureVerifierFactory.cs" />
     <Compile Include="SignaturePartsExtractor.cs" />
     <Compile Include="SignatureValidator.cs" />
 
@@ -29,8 +29,10 @@ public class ValidateAsync
             private readonly SignatureValidationMessage _message;
             private readonly CancellationToken _cancellationToken;
             private readonly Mock<IPackageSigningStateService> _packageSigningStateService;
-            private VerifySignaturesResult _verifyResult;
-            private readonly Mock<IPackageSignatureVerifier> _packageSignatureVerifier;
+            private VerifySignaturesResult _mimialVerifyResult;
+            private readonly Mock<IPackageSignatureVerifier> _mimimalPackageSignatureVerifier;
+            private VerifySignaturesResult _fullVerifyResult;
+            private readonly Mock<IPackageSignatureVerifier> _fullPackageSignatureVerifier;
             private readonly Mock<ISignaturePartsExtractor> _signaturePartsExtractor;
             private readonly Mock<IEntityRepository<Certificate>> _certificates;
             private readonly Mock<ILogger<SignatureValidator>> _logger;
@@ -53,11 +55,17 @@ public ValidateAsync()
 
                 _packageSigningStateService = new Mock<IPackageSigningStateService>();
 
-                _verifyResult = new VerifySignaturesResult(true);
-                _packageSignatureVerifier = new Mock<IPackageSignatureVerifier>();
-                _packageSignatureVerifier
+                _mimialVerifyResult = new VerifySignaturesResult(true);
+                _mimimalPackageSignatureVerifier = new Mock<IPackageSignatureVerifier>();
+                _mimimalPackageSignatureVerifier
                     .Setup(x => x.VerifySignaturesAsync(It.IsAny<ISignedPackageReader>(), It.IsAny<CancellationToken>()))
-                    .ReturnsAsync(() => _verifyResult);
+                    .ReturnsAsync(() => _mimialVerifyResult);
+
+                _fullVerifyResult = new VerifySignaturesResult(true);
+                _fullPackageSignatureVerifier = new Mock<IPackageSignatureVerifier>();
+                _fullPackageSignatureVerifier
+                    .Setup(x => x.VerifySignaturesAsync(It.IsAny<ISignedPackageReader>(), It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(() => _fullVerifyResult);
 
                 _signaturePartsExtractor = new Mock<ISignaturePartsExtractor>();
                 _certificates = new Mock<IEntityRepository<Certificate>>();
@@ -69,7 +77,8 @@ public ValidateAsync()
 
                 _target = new SignatureValidator(
                     _packageSigningStateService.Object,
-                    _packageSignatureVerifier.Object,
+                    _mimimalPackageSignatureVerifier.Object,
+                    _fullPackageSignatureVerifier.Object,
                     _signaturePartsExtractor.Object,
                     _certificates.Object,
                     _logger.Object);
@@ -155,14 +164,77 @@ await ConfigureKnownSignedPackage(
             }
 
             [Fact]
-            public async Task RejectsSignedPackagesWithKnownCertificatesButFailedVerifyResult()
+            public async Task RejectsSignedPackagesWithFailedMinimalVerifyResult()
+            {
+                // Arrange
+                await ConfigureKnownSignedPackage(
+                    TestResources.SignedPackageLeaf1Reader,
+                    TestResources.Leaf1Thumbprint);
+
+                _mimialVerifyResult = new VerifySignaturesResult(valid: false);
+
+                // Act
+                var result = await _target.ValidateAsync(
+                    _packageKey,
+                    _packageMock.Object,
+                    _message,
+                    _cancellationToken);
+
+                // Assert
+                Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
+                Assert.Empty(result.Issues);
+                _fullPackageSignatureVerifier.Verify(
+                    x => x.VerifySignaturesAsync(It.IsAny<ISignedPackageReader>(), It.IsAny<CancellationToken>()),
+                    Times.Never);
+            }
+
+            [Fact]
+            public async Task RejectsPackagesWithMimimalVerificationErrors()
+            {
+                // Arrange
+                await ConfigureKnownSignedPackage(
+                    TestResources.SignedPackageLeaf1Reader,
+                    TestResources.Leaf1Thumbprint);
+
+                _mimialVerifyResult = new VerifySignaturesResult(
+                    valid: false,
+                    results: new[]
+                    {
+                        new InvalidSignaturePackageVerificationResult(
+                            SignatureVerificationStatus.Invalid,
+                            new[]
+                            {
+                                SignatureLog.Issue(
+                                    fatal: true,
+                                    code: NuGetLogCode.NU3000,
+                                    message: "The package signature is invalid."),
+                            })
+                    });
+
+                // Act
+                var result = await _target.ValidateAsync(
+                    _packageKey,
+                    _packageMock.Object,
+                    _message,
+                    _cancellationToken);
+
+                // Assert
+                Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
+                Assert.Single(result.Issues);
+                var issue = Assert.IsType<ClientSigningVerificationFailure>(result.Issues[0]);
+                Assert.Equal("NU3000", issue.ClientCode);
+                Assert.Equal("The package signature is invalid.", issue.ClientMessage);
+            }
+
+            [Fact]
+            public async Task RejectsSignedPackagesWithKnownCertificatesButFailedFullVerifyResult()
             {
                 // Arrange
                 await ConfigureKnownSignedPackage(
                     TestResources.SignedPackageLeaf1Reader,
                     TestResources.Leaf1Thumbprint);
 
-                _verifyResult = new VerifySignaturesResult(valid: false);
+                _fullVerifyResult = new VerifySignaturesResult(valid: false);
 
                 // Act
                 var result = await _target.ValidateAsync(
@@ -177,14 +249,14 @@ await ConfigureKnownSignedPackage(
             }
 
             [Fact]
-            public async Task RejectsPackagesWithVerificationErrors()
+            public async Task RejectsPackagesWithFullVerificationErrors()
             {
                 // Arrange
                 await ConfigureKnownSignedPackage(
                     TestResources.SignedPackageLeaf1Reader,
                     TestResources.Leaf1Thumbprint);
 
-                _verifyResult = new VerifySignaturesResult(
+                _fullVerifyResult = new VerifySignaturesResult(
                     valid: false,
                     results: new[]
                     {