NuGet
diff --git a/‎src/NuGet.Services.Validation.Orchestrator/PackageSigning/ProcessSignature/PackageSignatureValidator.cs‎
Lines changed: 33 additions & 7 deletions b/‎src/NuGet.Services.Validation.Orchestrator/PackageSigning/ProcessSignature/PackageSignatureValidator.cs‎
Lines changed: 33 additions & 7 deletions
diff --git a/‎src/NuGet.Services.Validation.Orchestrator/PackageSigning/ScanAndSign/IScanAndSignEnqueuer.cs‎
Lines changed: 9 additions & 1 deletion b/‎src/NuGet.Services.Validation.Orchestrator/PackageSigning/ScanAndSign/IScanAndSignEnqueuer.cs‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎src/NuGet.Services.Validation.Orchestrator/PackageSigning/ScanAndSign/ScanAndSignConfiguration.cs‎
Lines changed: 11 additions & 1 deletion b/‎src/NuGet.Services.Validation.Orchestrator/PackageSigning/ScanAndSign/ScanAndSignConfiguration.cs‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎src/NuGet.Services.Validation.Orchestrator/PackageSigning/ScanAndSign/ScanAndSignEnqueuer.cs‎
Lines changed: 42 additions & 5 deletions b/‎src/NuGet.Services.Validation.Orchestrator/PackageSigning/ScanAndSign/ScanAndSignEnqueuer.cs‎
Lines changed: 42 additions & 5 deletions
@@ -5,9 +5,11 @@
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using NuGet.Jobs.Validation;
 using NuGet.Jobs.Validation.PackageSigning.Storage;
 using NuGet.Jobs.Validation.Storage;
+using NuGet.Services.Validation.Orchestrator.PackageSigning.ScanAndSign;
 using NuGet.Services.Validation.Orchestrator.Telemetry;
 
 namespace NuGet.Services.Validation.PackageSigning.ProcessSignature
@@ -22,13 +24,15 @@ public class PackageSignatureValidator : BaseSignatureProcessor, IValidator
         private readonly IValidatorStateService _validatorStateService;
         private readonly IProcessSignatureEnqueuer _signatureVerificationEnqueuer;
         private readonly ISimpleCloudBlobProvider _blobProvider;
+        private readonly ScanAndSignConfiguration _config;
         private readonly ITelemetryService _telemetryService;
         private readonly ILogger<PackageSignatureValidator> _logger;
 
         public PackageSignatureValidator(
             IValidatorStateService validatorStateService,
             IProcessSignatureEnqueuer signatureVerificationEnqueuer,
             ISimpleCloudBlobProvider blobProvider,
+            IOptionsSnapshot<ScanAndSignConfiguration> configAccessor,
             ITelemetryService telemetryService,
             ILogger<PackageSignatureValidator> logger)
           : base(validatorStateService, signatureVerificationEnqueuer, blobProvider, telemetryService, logger)
@@ -38,6 +42,13 @@ public PackageSignatureValidator(
             _blobProvider = blobProvider ?? throw new ArgumentNullException(nameof(blobProvider));
             _telemetryService = telemetryService ?? throw new ArgumentNullException(nameof(telemetryService));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+
+            if (configAccessor?.Value == null)
+            {
+                throw new ArgumentException($"{nameof(ScanAndSignConfiguration)} is required", nameof(configAccessor));
+            }
+
+            _config = configAccessor.Value;
         }
 
         /// <summary>
@@ -66,14 +77,29 @@ private IValidationResult Validate(IValidationResult result)
             /// All signature validation issues should be caught and handled by the processor.
             if (result.Status == ValidationStatus.Failed || result.NupkgUrl != null)
             {
-                _logger.LogCritical(
-                    "Unexpected validation result in package signature validator. This may be caused by an invalid repository " +
-                    "signature. Status = {ValidationStatus}, Nupkg URL = {NupkgUrl}, validation issues = {Issues}",
-                    result.Status,
-                    result.NupkgUrl,
-                    result.Issues.Select(i => i.IssueCode));
+                if (_config.RepositorySigningEnabled)
+                {
+                    _logger.LogCritical(
+                        "Unexpected validation result in package signature validator. This may be caused by an invalid repository " +
+                        "signature. Throwing an exception to force this validation to dead-letter. " +
+                        "Status = {ValidationStatus}, Nupkg URL = {NupkgUrl}, validation issues = {Issues}",
+                        result.Status,
+                        result.NupkgUrl,
+                        result.Issues.Select(i => i.IssueCode));
+
+                    throw new InvalidOperationException("Package signature validator has an unexpected validation result");
+                }
+                else
+                {
+                    _logger.LogInformation(
+                        "Ignoring invalid validation result in package signature validator as repository signing is disabled. " +
+                        "Status = {ValidationStatus}, Nupkg URL = {NupkgUrl}, validation issues = {Issues}",
+                        result.Status,
+                        result.NupkgUrl,
+                        result.Issues.Select(i => i.IssueCode));
 
-                throw new InvalidOperationException("Package signature validator has an unexpected validation result");
+                    return ValidationResult.Succeeded;
+                }
             }
 
             /// Suppress all validation issues. The <see cref="PackageSignatureProcessor"/> should
 
@@ -1,8 +1,8 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System.Collections.Generic;
 using System.Threading.Tasks;
-using NuGet.Jobs.Validation.ScanAndSign;
 
 namespace NuGet.Services.Validation.Orchestrator.PackageSigning.ScanAndSign
 {
@@ -13,5 +13,13 @@ public interface IScanAndSignEnqueuer
         /// </summary>
         /// <param name="request">Request data</param>
         Task EnqueueScanAsync(IValidationRequest request);
+
+        /// <summary>
+        /// Enqueues Scan And Sign operation.
+        /// </summary>
+        /// <param name="request">The requested package validation.</param>
+        /// <param name="v3ServiceIndexUrl">The service index URL that should be put on the package's repository signature.</param>
+        /// <param name="owners">The list of owners that should be put on the package's repository signature.</param>
+        Task EnqueueScanAndSignAsync(IValidationRequest request, string v3ServiceIndexUrl, List<string> owners);
     }
 }
@@ -20,8 +20,18 @@ public class ScanAndSignConfiguration
         public TimeSpan? MessageDelay { get; set; }
 
         /// <summary>
-        /// The criteria used to determine if a package should be submitted scanning.
+        /// The criteria used to determine whether a package should be scanned.
         /// </summary>
         public PackageCriteria PackageCriteria { get; set; } = new PackageCriteria();
+
+        /// <summary>
+        /// If true, packages with no repository signatures will be repository signed.
+        /// </summary>
+        public bool RepositorySigningEnabled { get; set; }
+
+        /// <summary>
+        /// The service index URL that should be stamped on repository signatures.
+        /// </summary>
+        public string V3ServiceIndexUrl { get; set; }
     }
 }
@@ -2,7 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using NuGet.Jobs.Validation.ScanAndSign;
 using NuGet.Services.ServiceBus;
@@ -14,14 +16,18 @@ public class ScanAndSignEnqueuer : IScanAndSignEnqueuer
         private readonly ITopicClient _topicClient;
         private readonly IBrokeredMessageSerializer<ScanAndSignMessage> _serializer;
         private readonly ScanAndSignConfiguration _configuration;
+        private readonly ILogger<IScanAndSignEnqueuer> _logger;
 
         public ScanAndSignEnqueuer(
             ITopicClient topicClient,
             IBrokeredMessageSerializer<ScanAndSignMessage> serializer,
-            IOptionsSnapshot<ScanAndSignConfiguration> configurationAccessor)
+            IOptionsSnapshot<ScanAndSignConfiguration> configurationAccessor,
+            ILogger<IScanAndSignEnqueuer> logger)
         {
             _topicClient = topicClient ?? throw new ArgumentNullException(nameof(topicClient));
             _serializer = serializer ?? throw new ArgumentNullException(nameof(serializer));
+            _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+
             if (configurationAccessor == null)
             {
                 throw new ArgumentNullException(nameof(configurationAccessor));
@@ -40,10 +46,41 @@ public Task EnqueueScanAsync(IValidationRequest request)
                 throw new ArgumentNullException(nameof(request));
             }
 
-            var message = new ScanAndSignMessage(
-                OperationRequestType.Scan,
-                request.ValidationId,
-                new Uri(request.NupkgUrl));
+            return SendScanAndSignMessageAsync(
+                new ScanAndSignMessage(
+                    OperationRequestType.Scan,
+                    request.ValidationId,
+                    new Uri(request.NupkgUrl)));
+        }
+
+        public Task EnqueueScanAndSignAsync(IValidationRequest request, string v3ServiceIndexUrl, List<string> owners)
+        {
+            if (request == null) throw new ArgumentNullException(nameof(request));
+            if (owners == null) throw new ArgumentNullException(nameof(owners));
+
+            if (string.IsNullOrEmpty(v3ServiceIndexUrl))
+            {
+                throw new ArgumentException("The service index URL parameter is required", nameof(v3ServiceIndexUrl));
+            }
+
+            _logger.LogInformation(
+                "Requested scan and sign for package {PackageId} {PackageVersion} using service index {ServiceIndex} and owners {Owners}",
+                request.PackageId,
+                request.PackageVersion,
+                v3ServiceIndexUrl,
+                owners);
+
+            return SendScanAndSignMessageAsync(
+                new ScanAndSignMessage(
+                    OperationRequestType.Sign,
+                    request.ValidationId,
+                    new Uri(request.NupkgUrl),
+                    v3ServiceIndexUrl,
+                    owners));
+        }
+
+        private Task SendScanAndSignMessageAsync(ScanAndSignMessage message)
+        {
             var brokeredMessage = _serializer.Serialize(message);
 
             var visibleAt = DateTimeOffset.UtcNow + (_configuration.MessageDelay ?? TimeSpan.Zero);