[Package Signing] Verify the author signature independently of the repository signature (#467)

In this change:

* The process signature job now properly rejects untrusted author signing certificate when the package is repository countersigned
* Updates NuGet client dependencies
* Test improvements
  * Fixed several issues where responders were disposed more than intended
  * Properly wait for responder's responses to expire instead of sleeping by a second
  * Fixed several flaky tests (I think)

Fixes https://github.com/NuGet/Engineering/issues/1417

Author: loic-sharma

src/Validation.Common.Job/Validation.Common.Job.csproj

@@ -90,7 +90,7 @@
       <Version>1.1.2</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Packaging">
-      <Version>4.8.0-preview1.5195</Version>
+      <Version>4.8.0-preview4.5289</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
       <Version>2.25.0</Version>

src/Validation.Common.Job/Validation.Common.Job.nuspec

@@ -15,7 +15,7 @@
         <dependency id="Microsoft.ApplicationInsights" version="2.2.0" />
         <dependency id="Microsoft.Extensions.DependencyInjection" version="1.1.1" />
         <dependency id="Microsoft.Extensions.Options.ConfigurationExtensions" version="1.1.2" />
-        <dependency id="NuGet.Packaging" version="4.8.0-preview1.5195" />
+        <dependency id="NuGet.Packaging" version="4.8.0-preview4.5289" />
         <dependency id="NuGet.Services.Configuration" version="2.25.0" />
         <dependency id="NuGet.Services.Logging" version="2.25.0" />
         <dependency id="NuGet.Services.Sql" version="2.26.0-master-33196" />

src/Validation.PackageSigning.ProcessSignature/ISignatureFormatValidator.cs

@@ -19,13 +19,23 @@ Task<VerifySignaturesResult> ValidateMinimalAsync(
             ISignedPackageReader package,
             CancellationToken token);
 
+        /// <summary>
+        /// Run all validations on the package's author signature. This includes integrity and trust validations.
+        /// </summary>
+        /// <param name="package">The package whose author signature should be validated.</param>
+        /// <param name="token"></param>
+        /// <returns>The result of the author signature's verification.</returns>
+        Task<VerifySignaturesResult> ValidateAuthorSignatureAsync(
+            ISignedPackageReader package,
+            CancellationToken token);
+
         /// <summary>
         /// Run all validations on the package's repository signature. This includes integrity and trust validations.
         /// </summary>
         /// <param name="package">The package whose repository signature should be validated.</param>
         /// <param name="token"></param>
-        /// <returns>Whether the package's signature is readable.</returns>
-        Task<SignatureVerificationStatus> VerifyRepositorySignatureAsync(
+        /// <returns>The result of the repository signature's verification.</returns>
+        Task<VerifySignaturesResult> ValidateRepositorySignatureAsync(
             ISignedPackageReader package,
             CancellationToken token);
 
@@ -35,10 +45,10 @@ Task<SignatureVerificationStatus> VerifyRepositorySignatureAsync(
         /// <param name="package">The package to validate.</param>
         /// <param name="hasRepositorySignature">If false, skips the certificate allow list verification of the repository signature.</param>
         /// <param name="token"></param>
-        /// <returns>Whether the package's signature is valid.</returns>
-        Task<VerifySignaturesResult> ValidateFullAsync(
+        /// <returns>The result of the package's signature(s) verification.</returns>
+        Task<VerifySignaturesResult> ValidateAllSignaturesAsync(
             ISignedPackageReader package,
-            bool hasRepositorySignature,
+            bool hasRepositorySignature, // TODO: Remove parameter once this is fixed: https://github.com/NuGet/Home/issues/7042
             CancellationToken token);
     }
 }

src/Validation.PackageSigning.ProcessSignature/SignatureFormatValidator.cs

@@ -22,30 +22,32 @@ public class SignatureFormatValidator : ISignatureFormatValidator
             allowMultipleTimestamps: true,
             allowNoTimestamp: true,
             allowUnknownRevocation: true,
+            reportUnknownRevocation: false,
             allowNoRepositoryCertificateList: true,
             allowNoClientCertificateList: true,
-            alwaysVerifyCountersignature: false,
+            verificationTarget: VerificationTarget.All,
+            signaturePlacement: SignaturePlacement.PrimarySignature,
+            repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Never,
             repoAllowListEntries: null,
             clientAllowListEntries: null);
 
-        private static readonly IEnumerable<ISignatureVerificationProvider> _minimalProviders = new[]
+        private static readonly PackageSignatureVerifier _minimalVerifier = new PackageSignatureVerifier(new[]
         {
             new MinimalSignatureVerificationProvider(),
-        };
+        });
 
-        private static readonly IEnumerable<ISignatureVerificationProvider> _fullProviders = new ISignatureVerificationProvider[]
+        private static readonly PackageSignatureVerifier _fullVerifier = new PackageSignatureVerifier(new ISignatureVerificationProvider[]
         {
             new IntegrityVerificationProvider(),
             new SignatureTrustAndValidityVerificationProvider(),
             new AllowListVerificationProvider(),
-        };
+        });
 
         private readonly IOptionsSnapshot<ProcessSignatureConfiguration> _config;
         private readonly SignedPackageVerifierSettings _authorSignatureSettings;
+        private readonly SignedPackageVerifierSettings _repositorySignatureSettings;
         private readonly SignedPackageVerifierSettings _authorOrRepositorySignatureSettings;
 
-        private readonly RepositorySignatureVerifier _repositorySignatureVerifier;
-
         public SignatureFormatValidator(IOptionsSnapshot<ProcessSignatureConfiguration> config)
         {
             _config = config ?? throw new ArgumentNullException(nameof(config));
@@ -58,11 +60,14 @@ public SignatureFormatValidator(IOptionsSnapshot<ProcessSignatureConfiguration>
                 allowMultipleTimestamps: false,
                 allowNoTimestamp: false,
                 allowUnknownRevocation: true,
-                allowNoClientCertificateList: true,
-                alwaysVerifyCountersignature: true,
-                clientAllowListEntries: null,
+                reportUnknownRevocation: true,
                 allowNoRepositoryCertificateList: true,
-                repoAllowListEntries: null);
+                allowNoClientCertificateList: true,
+                verificationTarget: VerificationTarget.Author,
+                signaturePlacement: SignaturePlacement.PrimarySignature,
+                repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.Never,
+                repoAllowListEntries: null,
+                clientAllowListEntries: null);
 
             var repoAllowListEntries = _config
                 .Value
@@ -76,64 +81,81 @@ public SignatureFormatValidator(IOptionsSnapshot<ProcessSignatureConfiguration>
 
             repoAllowListEntries = repoAllowListEntries ?? new List<CertificateHashAllowListEntry>();
 
-            _authorOrRepositorySignatureSettings = new SignedPackageVerifierSettings(
+            _repositorySignatureSettings = new SignedPackageVerifierSettings(
                 allowUnsigned: _authorSignatureSettings.AllowUnsigned,
                 allowIllegal: _authorSignatureSettings.AllowIllegal,
                 allowUntrusted: _authorSignatureSettings.AllowUntrusted,
                 allowIgnoreTimestamp: _authorSignatureSettings.AllowIgnoreTimestamp,
                 allowMultipleTimestamps: _authorSignatureSettings.AllowMultipleTimestamps,
                 allowNoTimestamp: _authorSignatureSettings.AllowNoTimestamp,
                 allowUnknownRevocation: _authorSignatureSettings.AllowUnknownRevocation,
-                allowNoClientCertificateList: _authorSignatureSettings.AllowNoClientCertificateList,
-                alwaysVerifyCountersignature: _authorSignatureSettings.AlwaysVerifyCountersignature,
-                clientAllowListEntries: _authorSignatureSettings.ClientCertificateList,
+                reportUnknownRevocation: _authorSignatureSettings.ReportUnknownRevocation,
                 allowNoRepositoryCertificateList: false,
-                repoAllowListEntries: repoAllowListEntries);
+                allowNoClientCertificateList: _authorSignatureSettings.AllowNoClientCertificateList,
+                verificationTarget: VerificationTarget.Repository,
+                signaturePlacement: SignaturePlacement.Any,
+                repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExists,
+                repoAllowListEntries: repoAllowListEntries,
+                clientAllowListEntries: _authorSignatureSettings.ClientCertificateList);
 
-            _repositorySignatureVerifier = new RepositorySignatureVerifier();
+            _authorOrRepositorySignatureSettings = new SignedPackageVerifierSettings(
+                allowUnsigned: _authorSignatureSettings.AllowUnsigned,
+                allowIllegal: _authorSignatureSettings.AllowIllegal,
+                allowUntrusted: _authorSignatureSettings.AllowUntrusted,
+                allowIgnoreTimestamp: _authorSignatureSettings.AllowIgnoreTimestamp,
+                allowMultipleTimestamps: _authorSignatureSettings.AllowMultipleTimestamps,
+                allowNoTimestamp: _authorSignatureSettings.AllowNoTimestamp,
+                allowUnknownRevocation: _authorSignatureSettings.AllowUnknownRevocation,
+                reportUnknownRevocation: _authorSignatureSettings.ReportUnknownRevocation,
+                allowNoRepositoryCertificateList: false,
+                allowNoClientCertificateList: _authorSignatureSettings.AllowNoClientCertificateList,
+                verificationTarget: VerificationTarget.All,
+                signaturePlacement: SignaturePlacement.Any,
+                repositoryCountersignatureVerificationBehavior: SignatureVerificationBehavior.IfExists,
+                repoAllowListEntries: repoAllowListEntries,
+                clientAllowListEntries: _authorSignatureSettings.ClientCertificateList);
         }
 
         public async Task<VerifySignaturesResult> ValidateMinimalAsync(
             ISignedPackageReader package,
             CancellationToken token)
         {
-            return await VerifyAsync(
+            return await _minimalVerifier.VerifySignaturesAsync(
                 package,
-                _minimalProviders,
                 _minimalSettings,
                 token);
         }
 
-        public async Task<VerifySignaturesResult> ValidateFullAsync(
+        public async Task<VerifySignaturesResult> ValidateAuthorSignatureAsync(
             ISignedPackageReader package,
-            bool hasRepositorySignature,
             CancellationToken token)
         {
-            var settings = hasRepositorySignature ? _authorOrRepositorySignatureSettings : _authorSignatureSettings;
-
-            return await VerifyAsync(
+            return await _fullVerifier.VerifySignaturesAsync(
                 package,
-                _fullProviders,
-                settings,
+                _authorSignatureSettings,
                 token);
         }
 
-        public async Task<SignatureVerificationStatus> VerifyRepositorySignatureAsync(
+        public async Task<VerifySignaturesResult> ValidateRepositorySignatureAsync(
             ISignedPackageReader package,
             CancellationToken token)
         {
-            return await _repositorySignatureVerifier.VerifyAsync(package, token);
+            return await _fullVerifier.VerifySignaturesAsync(
+                package,
+                _repositorySignatureSettings,
+                token);
         }
 
-        private static async Task<VerifySignaturesResult> VerifyAsync(
+        public async Task<VerifySignaturesResult> ValidateAllSignaturesAsync(
             ISignedPackageReader package,
-            IEnumerable<ISignatureVerificationProvider> verificationProviders,
-            SignedPackageVerifierSettings settings,
+            bool hasRepositorySignature,
             CancellationToken token)
         {
-            var verifier = new PackageSignatureVerifier(verificationProviders);
+            // TODO - Use only the "authorOrRepositorySignatureSettings" once this issue is fixed:
+            // https://github.com/NuGet/Home/issues/7042
+            var settings = hasRepositorySignature ? _authorOrRepositorySignatureSettings : _authorSignatureSettings;
 
-            return await verifier.VerifySignaturesAsync(
+            return await _fullVerifier.VerifySignaturesAsync(
                 package,
                 settings,
                 token);