NuGet
diff --git a/‎src/Validation.PackageSigning.ExtractAndValidateSignature/PackageSignatureVerifierFactory.cs‎
Lines changed: 8 additions & 2 deletions b/‎src/Validation.PackageSigning.ExtractAndValidateSignature/PackageSignatureVerifierFactory.cs‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs‎
Lines changed: 2 additions & 4 deletions b/‎src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj‎
Lines changed: 1 addition & 1 deletion b/‎src/Validation.PackageSigning.ExtractAndValidateSignature/Validation.PackageSigning.ExtractAndValidateSignature.csproj‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/SignatureValidatorIntegrationTests.cs‎
Lines changed: 31 additions & 17 deletions b/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/SignatureValidatorIntegrationTests.cs‎
Lines changed: 31 additions & 17 deletions
diff --git a/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/Support/CertificateIntegrationTestCollection.cs‎
Lines changed: 13 additions & 0 deletions b/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/Support/CertificateIntegrationTestCollection.cs‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/Support/CertificateIntegrationTestFixture.cs‎
Lines changed: 178 additions & 0 deletions b/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/Support/CertificateIntegrationTestFixture.cs‎
Lines changed: 178 additions & 0 deletions
diff --git a/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/Support/ChainCertificateRequest.cs‎
Lines changed: 0 additions & 26 deletions b/‎tests/Validation.PackageSigning.ExtractAndValidateSignature.Tests/Support/ChainCertificateRequest.cs‎
Lines changed: 0 additions & 26 deletions
@@ -38,12 +38,18 @@ public static IPackageSignatureVerifier CreateMinimal()
         /// </summary>
         public static IPackageSignatureVerifier CreateFull()
         {
-            var verificationProviders = new[]
+            var verificationProviders = new ISignatureVerificationProvider[]
             {
                 new IntegrityVerificationProvider(),
+                new SignatureTrustAndValidityVerificationProvider(),
             };
 
-            var settings = SignedPackageVerifierSettings.VerifyCommandDefaultPolicy;
+            var settings = new SignedPackageVerifierSettings(
+                allowUnsigned: false,
+                allowUntrusted: false,
+                allowIgnoreTimestamp: false,
+                failWithMultipleTimestamps: true,
+                allowNoTimestamp: false);
 
             return new PackageSignatureVerifier(
                 verificationProviders,
 
@@ -130,10 +130,8 @@ private async Task<SignatureValidatorResult> HandleSignedPackageAsync(
                     .SignerInfo
                     .CounterSignerInfos
                     .Cast<SignerInfo>()
-                    .Select(x => x.SignedAttributes.FirstOrDefault(Oids.CommitmentTypeIndication))
-                    .Where(x => x != null)
-                    .Select(x => AttributeUtility.GetCommitmentTypeIndication(x))
-                    .Count(x => x != SignatureType.Unknown);
+                    .Select(x => AttributeUtility.GetSignatureType(x.SignedAttributes))
+                    .Count(signatureType => signatureType != SignatureType.Unknown);
                 if (authorOrRepositoryCounterSignatureCount > 0)
                 {
                     _logger.LogInformation(
 
@@ -106,7 +106,7 @@
       <Version>1.1.2</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Packaging">
-      <Version>4.6.0-rtm-4822</Version>
+      <Version>4.7.0-preview1-4853</Version>
     </PackageReference>
     <PackageReference Include="NuGet.Services.Configuration">
       <Version>2.10.0</Version>
 
@@ -21,14 +21,18 @@
 using NuGet.Services.Validation;
 using NuGet.Services.Validation.Issues;
 using NuGetGallery;
+using Test.Utility.Signing;
 using Xunit;
 using Xunit.Abstractions;
 using NuGetHashAlgorithmName = NuGet.Common.HashAlgorithmName;
 
 namespace Validation.PackageSigning.ExtractAndValidateSignature.Tests
 {
+    [Collection(CertificateIntegrationTestCollection.Name)]
     public class SignatureValidatorIntegrationTests : IDisposable
     {
+        private readonly CertificateIntegrationTestFixture _fixture;
+        private readonly ITestOutputHelper _output;
         private readonly Mock<IPackageSigningStateService> _packageSigningStateService;
         private readonly Mock<ISignaturePartsExtractor> _signaturePartsExtractor;
         private readonly Mock<IEntityRepository<Certificate>> _certificates;
@@ -42,8 +46,11 @@ public class SignatureValidatorIntegrationTests : IDisposable
         private readonly CancellationToken _token;
         private readonly SignatureValidator _target;
 
-        public SignatureValidatorIntegrationTests(ITestOutputHelper output)
+        public SignatureValidatorIntegrationTests(CertificateIntegrationTestFixture fixture, ITestOutputHelper output)
         {
+            _fixture = fixture ?? throw new ArgumentNullException(nameof(fixture));
+            _output = output ?? throw new ArgumentNullException(nameof(output));
+
             // These dependencies have their own dependencies on the database or blob storage, which don't have good
             // integration test infrastructure in the jobs yet. Therefore, we'll mock them for now.
             _packageSigningStateService = new Mock<IPackageSigningStateService>();
@@ -83,14 +90,23 @@ public SignatureValidatorIntegrationTests(ITestOutputHelper output)
                 _logger);
         }
 
-        [Theory]
-        [InlineData(TestResources.SignedPackageLeaf1, TestResources.Leaf1Thumbprint)]
-        [InlineData(TestResources.SignedPackageLeaf2, TestResources.Leaf2Thumbprint)]
-        public async Task SuccessfullyValidatesLeaves(string resourceName, string thumbprint)
+        public async Task<SignedPackageArchive> GetSignedPackage1Async()
+        {
+            AllowCertificateThumbprint(_fixture.LeafCertificate1Thumbprint);
+            return await _fixture.GetSignedPackage1Async(_output);
+        }
+
+        public async Task<MemoryStream> GetSignedPackageStream1Async()
+        {
+            AllowCertificateThumbprint(_fixture.LeafCertificate1Thumbprint);
+            return await _fixture.GetSignedPackageStream1Async(_output);
+        }
+
+        [Fact]
+        public async Task AcceptsValidSignedPackage()
         {
             // Arrange
-            _package = TestResources.LoadPackage(resourceName);
-            AllowCertificateThumbprint(thumbprint);
+            _package = await GetSignedPackage1Async();
 
             // Act
             var result = await _target.ValidateAsync(
@@ -108,8 +124,7 @@ public async Task SuccessfullyValidatesLeaves(string resourceName, string thumbp
         public async Task RejectsPackageWithAddedFile()
         {
             // Arrange
-            AllowCertificateThumbprint(TestResources.Leaf1Thumbprint);
-            var packageStream = TestResources.GetResourceStream(TestResources.SignedPackageLeaf1);
+            var packageStream = await GetSignedPackageStream1Async();
 
             try
             {
@@ -144,8 +159,7 @@ public async Task RejectsPackageWithAddedFile()
         public async Task RejectsPackageWithModifiedFile()
         {
             // Arrange
-            AllowCertificateThumbprint(TestResources.Leaf1Thumbprint);
-            var packageStream = TestResources.GetResourceStream(TestResources.SignedPackageLeaf1);
+            var packageStream = await GetSignedPackageStream1Async();
 
             try
             {
@@ -238,9 +252,9 @@ public async Task RejectsMultipleSignatures()
         public async Task RejectsAuthorAndRepositoryCounterSignatures(SignatureType counterSignatureType)
         {
             // Arrange
-            AllowCertificateThumbprint(TestResources.Leaf1Thumbprint);
+            var packageStream = await GetSignedPackageStream1Async();
             ModifySignatureContent(
-                TestResources.GetResourceStream(TestResources.SignedPackageLeaf1),
+                packageStream,
                 configuredSignedCms: signedCms =>
                 {
                     using (var counterCertificate = SigningTestUtility.GenerateCertificate(subjectName: null, modifyGenerator: null))
@@ -273,9 +287,9 @@ public async Task RejectsAuthorAndRepositoryCounterSignatures(SignatureType coun
         public async Task RejectsMutuallyExclusiveCounterSignaturesCommitmentTypes(SignatureType[] counterSignatureTypes)
         {
             // Arrange
-            AllowCertificateThumbprint(TestResources.Leaf1Thumbprint);
+            var packageStream = await GetSignedPackageStream1Async();
             ModifySignatureContent(
-                TestResources.GetResourceStream(TestResources.SignedPackageLeaf1),
+                packageStream,
                 configuredSignedCms: signedCms =>
                 {
                     using (var counterCertificate = SigningTestUtility.GenerateCertificate(subjectName: null, modifyGenerator: null))
@@ -314,9 +328,9 @@ public async Task RejectsMutuallyExclusiveCounterSignaturesCommitmentTypes(Signa
         public async Task AllowsNonAuthorAndRepositoryCounterSignatures(string commitmentTypeOidBase64)
         {
             // Arrange
-            AllowCertificateThumbprint(TestResources.Leaf1Thumbprint);
+            var packageStream = await GetSignedPackageStream1Async();
             ModifySignatureContent(
-                TestResources.GetResourceStream(TestResources.SignedPackageLeaf1),
+                packageStream,
                 configuredSignedCms: signedCms =>
                 {
                     using (var counterCertificate = SigningTestUtility.GenerateCertificate(subjectName: null, modifyGenerator: null))
 
@@ -0,0 +1,13 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Xunit;
+
+namespace Validation.PackageSigning.ExtractAndValidateSignature.Tests
+{
+    [CollectionDefinition(Name)]
+    public class CertificateIntegrationTestCollection : ICollectionFixture<CertificateIntegrationTestFixture>
+    {
+        public const string Name = "Certificate integration test collection";
+    }
+}
@@ -0,0 +1,178 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Security.Cryptography.X509Certificates;
+using System.Security.Principal;
+using System.Threading;
+using System.Threading.Tasks;
+using NuGet.Common;
+using NuGet.Packaging.Signing;
+using NuGet.Test.Utility;
+using Test.Utility.Signing;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Validation.PackageSigning.ExtractAndValidateSignature.Tests
+{
+    /// <summary>
+    /// This test fixture trusts the root certificate of checked in signed packages. This handles adding and removing
+    /// the root certificate from the local machine trusted roots. Any tests with this fixture require admin elevation.
+    /// </summary>
+    public class CertificateIntegrationTestFixture : IDisposable
+    {
+        private static readonly string _testTimestampServer = Environment.GetEnvironmentVariable("TIMESTAMP_SERVER_URL");
+
+        private readonly SemaphoreSlim _lock = new SemaphoreSlim(1);
+        private byte[] _signedPackageBytes1;
+
+        public CertificateIntegrationTestFixture()
+        {
+            Assert.True(
+                IsAdministrator(),
+                "This test must be executing with administrator privileges since it installs a trusted root.");
+
+            LeafCertificate1 = TestCertificate
+                .Generate(SigningTestUtility.CertificateModificationGeneratorForCodeSigningEkuCert)
+                .WithPrivateKeyAndTrust(StoreName.Root, StoreLocation.LocalMachine);
+            LeafCertificate1Thumbprint = LeafCertificate1.TrustedCert.ComputeSHA256Thumbprint();
+        }
+
+        public TrustedTestCert<TestCertificate> LeafCertificate1 { get; }
+        public string LeafCertificate1Thumbprint { get; }
+        public Task<SignedPackageArchive> GetSignedPackage1Async(ITestOutputHelper output) => GetSignedPackageAsync(
+            new Reference<byte[]>(
+                () => _signedPackageBytes1,
+                x => _signedPackageBytes1 = x),
+            TestResources.SignedPackageLeaf1,
+            LeafCertificate1,
+            output);
+        public Task<MemoryStream> GetSignedPackageStream1Async(ITestOutputHelper output) => GetSignedPackageStreamAsync(
+            new Reference<byte[]>(
+                () => _signedPackageBytes1,
+                x => _signedPackageBytes1 = x),
+            TestResources.SignedPackageLeaf1,
+            LeafCertificate1,
+            output);
+        
+        public void Dispose()
+        {
+            LeafCertificate1?.Dispose();
+        }
+
+        /// <summary>
+        /// Source: https://stackoverflow.com/a/11660205
+        /// </summary>
+        private static bool IsAdministrator()
+        {
+            var identity = WindowsIdentity.GetCurrent();
+            var principal = new WindowsPrincipal(identity);
+            return principal.IsInRole(WindowsBuiltInRole.Administrator);
+        }
+
+        private async Task<MemoryStream> GetSignedPackageStreamAsync(
+            Reference<byte[]> reference,
+            string resourceName,
+            TrustedTestCert<TestCertificate> certificate,
+            ITestOutputHelper output)
+        {
+            await _lock.WaitAsync();
+            try
+            {
+                if (reference.Value == null)
+                {
+                    reference.Value = await GenerateSignedPackageBytesAsync(
+                        resourceName,
+                        certificate,
+                        output);
+                }
+
+                var memoryStream = new MemoryStream();
+                memoryStream.Write(reference.Value, 0, reference.Value.Length);
+                return memoryStream;
+            }
+            finally
+            {
+                _lock.Release();
+            }
+        }
+
+        private async Task<SignedPackageArchive> GetSignedPackageAsync(
+            Reference<byte[]> reference,
+            string resourceName,
+            TrustedTestCert<TestCertificate> certificate,
+            ITestOutputHelper output)
+        {
+            return new SignedPackageArchive(
+                await GetSignedPackageStreamAsync(reference, resourceName, certificate, output),
+                new MemoryStream());
+        }
+        
+        private static async Task<byte[]> GenerateSignedPackageBytesAsync(string resourceName, TrustedTestCert<TestCertificate> certificate, ITestOutputHelper output)
+        {
+            var testLogger = new TestLogger(output);
+            var timestampProvider = new Rfc3161TimestampProvider(new Uri(_testTimestampServer));
+            var signatureProvider = new X509SignatureProvider(timestampProvider);
+
+            var unsignedBytes = await OperateOnSignerAsync(
+                TestResources.GetResourceStream(resourceName),
+                signatureProvider,
+                x => x.RemoveSignaturesAsync(testLogger, CancellationToken.None));
+
+            var signedBytes = await OperateOnSignerAsync(
+                new MemoryStream(unsignedBytes),
+                signatureProvider,
+                x =>
+                {
+                    var request = new SignPackageRequest(certificate.TrustedCert, HashAlgorithmName.SHA256);
+                    return x.SignAsync(request, testLogger, CancellationToken.None);
+                });
+
+            return signedBytes;
+        }
+
+        private static async Task<byte[]> OperateOnSignerAsync(
+            Stream packageReadStream,
+            X509SignatureProvider signatureProvider,
+            Func<Signer, Task> executeAsync)
+        {
+            using (packageReadStream)
+            using (var packageWriteStream = new MemoryStream())
+            {
+                packageReadStream.CopyTo(packageWriteStream);
+
+                using (var signedPackage = new SignedPackageArchive(packageReadStream, packageWriteStream))
+                {
+                    var signer = new Signer(signedPackage, signatureProvider);
+
+                    await executeAsync(signer);
+
+                    return packageWriteStream.ToArray();
+                }
+            }
+        }
+
+        /// <summary>
+        /// This is a workaround for the lack of <code>ref</code> parameters in <code>async</code> methods.
+        /// </summary>
+        /// <typeparam name="T">The type of the reference.</typeparam>
+        private class Reference<T>
+        {
+            private readonly Func<T> _getValue;
+            private readonly Action<T> _setValue;
+
+            public Reference(Func<T> getValue, Action<T> setValue)
+            {
+                _getValue = getValue;
+                _setValue = setValue;
+            }
+
+            public T Value
+            {
+                get => _getValue();
+                set => _setValue(value);
+            }
+        }
+    }
+}