CI Build Failed & NuGet Certificate Error about flexlabs.upsert HOT 10 CLOSED

I'm currently in the process of getting a new Code Signing cert, since my old registrar is going under :)

Strange that it doesn't let you install published packages though - that should work fine, since the assemblies and the nuget package were timestamped as well..

Could you try again, and if it still doesn't work let me know what OS you're running and how you're adding the package? (Visual Studio, dotnet cli, powershell command?)

from flexlabs.upsert.

Thank for the fast response. It failed yesterday when trying to install the package using the nuget package manager tool window in jetbrains rider.

Tried again today and it works *confused*. OS is windows.

So this can be closed from my side.

from flexlabs.upsert.

@artiomchi : Still having an issue using the latest version of the nuget package.
When running a verify returns the "Package signature validation failed" error.
Are you able to fix this issue ? Since we are unable to fire of a build atm :-(

nuget verify -Signatures flexlabs.entityframeworkcore.upsert.2.0.6.nupkg

Signature Hash Algorithm: SHA256
Timestamp: 6/02/2019 23:24:20

Verifying author primary signature's timestamp with timestamping service certificate:
  Subject Name: CN=DigiCert SHA2 Timestamp Responder, O=DigiCert, C=US
  SHA1 hash: 400191475C98891DEBA104AF47091B5EB6D4CBCB
  SHA256 hash: FC834D5BFFDE31DBA5B79BF95F573F7953BCBF9156E8525163E828EB92EA8A93
  Issued by: CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Valid from: 4/01/2017 1:00:00 to 18/01/2028 1:00:00

Signature type: Author
Verifying the author primary signature with certificate:
  Subject Name: CN=Artiom Chilaru, O=Artiom Chilaru, L=London, S=Greater London, C=GB
  SHA1 hash: 29E030AFC02228F749C2B2EA5C0F8C57717E07C2
  SHA256 hash: 564A2856BED58B34167301C670E6FDAC14BA590B2765FA293646CA5CBEDA8667
  Issued by: CN=StartCom Class 2 Object CA, OU=StartCom Certification Authority, O=StartCom Ltd., C=IL
  Valid from: 20/02/2017 11:12:45 to 20/02/2019 11:12:45

NU3012: The author primary signature found a chain building issue: The certificate was explicitly marked as untrusted by the user.
NU3012: The author primary signature found a chain building issue: The certificate is revoked.
Timestamp: 6/02/2019 23:26:11

Verifying repository countersignature's timestamp with timestamping service certificate:
  Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0
  SHA256 hash: C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8
  Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 23/12/2017 1:00:00 to 23/03/2029 0:59:59

Signature type: Repository
nuget-v3-service-index-url: https://api.nuget.org/v3/index.json
nuget-package-owners: ArtiomChi
Verifying the repository countersignature with certificate:
  Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
  SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
  SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
  Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Valid from: 10/04/2018 2:00:00 to 14/04/2021 14:00:00

Finished with 2 errors and 0 warnings.

Package signature validation failed.

from flexlabs.upsert.

Daamn, this is getting worse!
I didn't expect the root StartSSL cert to be revoked!!!

I'm currently in the middle of the process of obtaining a new code signing cert. This might take another 48 hours, so I'll deploy an unsigned copy to MyGet for the time being, so there's at least one version that's.. usable, until I get a new cert sorted out!

from flexlabs.upsert.

@artiomchi Just want to say I appreciate all the hard work and the money you've spent on maintaining this project. It means a lot to all of us.

from flexlabs.upsert.

Is this a public myget-feed you are talking about ?
Hope your certificate arrives the next 2 days ;)

I was always under the impression that nuget packages were immutable. Weird that a given version can break ?

from flexlabs.upsert.

@bartdk-be I'm not sure if there's a public MyGet feed - I'm publishing into my own. I've got the details on how to get the packages from there on the wiki page: https://github.com/artiomchi/FlexLabs.Upsert/wiki/CI-Builds

Yeah, this has been quite stressful, since we used the same certificate authority at my employer, and we had the same issues.

You're right that the NuGet packages are immutable - but in this case the certificate that I used to sign this package is issued by a not very trustworthy provider. Their parent (root, actually) certificate was revoked, which makes all packages signed by anyone who got a certificate from them invalid.

The solution here is to get a new code signing certificate and release a new build with a version bump.
I'll do that as soon as I have my hands on the new certificate :)

from flexlabs.upsert.

Hey all!

The bad news is that I can not sign the assemblies as part of the automated build.. This will make releasing deployments a bit more cumbersome, but still manageable..
I'll do some research if I can still make it work on the build server, but this is more of a ease of use for me, and won't affect anyone using the library :)

The good news is that I just got the new cert released, and pushed a new build of the library to NuGet, signed by the new cert!
Version 2.0.7 has just gone live, and just passed validation, and should be available in the search once their search cache updates!

I'm quite confident that this should solve all the issue, but it would be good if you could confirm that it works on your side as well.

from flexlabs.upsert.

@artiomchi : We did an upgrade this morning and all seems to be working fine again.
Thanks for the quick fix ! Keep up the good work :)

from flexlabs.upsert.

Since nobody reported any issues since the last comment, I'll be closing this issue.

from flexlabs.upsert.