Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add docs for new NuGet warning NU3043 #3339

Merged
merged 14 commits into from
Sep 30, 2024
2 changes: 1 addition & 1 deletion docs/reference/Errors-and-Warnings.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ NuGet supports the following configuration properties.
| Package fallback warnings | [NU1701](./errors-and-warnings/NU1701.md), [NU1702](./errors-and-warnings/NU1702.md), [NU1703](./errors-and-warnings/NU1703.md)|
| Feed warnings | [NU1801](./errors-and-warnings/NU1801.md), [NU1802](./errors-and-warnings/NU1802.md), [NU1803](./errors-and-warnings/NU1803.md) |
| NuGet internal warnings | [NU1500](./errors-and-warnings/NU1500.md) |
| Signed packages warnings (creation and verification) | [NU3000](./errors-and-warnings/NU3000.md), [NU3002](./errors-and-warnings/NU3002.md), [NU3003](./errors-and-warnings/NU3003.md), [NU3006](./errors-and-warnings/NU3006.md), [NU3007](./errors-and-warnings/NU3007.md), [NU3009](./errors-and-warnings/NU3009.md), [NU3010](./errors-and-warnings/NU3010.md), [NU3011](./errors-and-warnings/NU3011.md), [NU3012](./errors-and-warnings/NU3012.md), [NU3013](./errors-and-warnings/NU3013.md), [NU3014](./errors-and-warnings/NU3014.md), [NU3015](./errors-and-warnings/NU3015.md), [NU3016](./errors-and-warnings/NU3016.md), [NU3017](./errors-and-warnings/NU3017.md), [NU3018](./errors-and-warnings/NU3018.md), [NU3019](./errors-and-warnings/NU3019.md), [NU3020](./errors-and-warnings/NU3020.md), [NU3021](./errors-and-warnings/NU3021.md), [NU3022](./errors-and-warnings/NU3022.md), [NU3023](./errors-and-warnings/NU3023.md), [NU3024](./errors-and-warnings/NU3024.md), [NU3025](./errors-and-warnings/NU3025.md), [NU3026](./errors-and-warnings/NU3026.md), [NU3027](./errors-and-warnings/NU3027.md), [NU3028](./errors-and-warnings/NU3028.md), [NU3029](./errors-and-warnings/NU3029.md), [NU3030](./errors-and-warnings/NU3030.md), [NU3031](./errors-and-warnings/NU3031.md), [NU3032](./errors-and-warnings/NU3032.md), [NU3033](./errors-and-warnings/NU3033.md), [NU3035](./errors-and-warnings/NU3035.md), [NU3036](./errors-and-warnings/NU3036.md), [NU3037](./errors-and-warnings/NU3037.md), [NU3038](./errors-and-warnings/NU3038.md), [NU3040](./errors-and-warnings/NU3040.md), [NU3042](./errors-and-warnings/NU3042.md) |
| Signed packages warnings (creation and verification) | [NU3000](./errors-and-warnings/NU3000.md), [NU3002](./errors-and-warnings/NU3002.md), [NU3003](./errors-and-warnings/NU3003.md), [NU3006](./errors-and-warnings/NU3006.md), [NU3007](./errors-and-warnings/NU3007.md), [NU3009](./errors-and-warnings/NU3009.md), [NU3010](./errors-and-warnings/NU3010.md), [NU3011](./errors-and-warnings/NU3011.md), [NU3012](./errors-and-warnings/NU3012.md), [NU3013](./errors-and-warnings/NU3013.md), [NU3014](./errors-and-warnings/NU3014.md), [NU3015](./errors-and-warnings/NU3015.md), [NU3016](./errors-and-warnings/NU3016.md), [NU3017](./errors-and-warnings/NU3017.md), [NU3018](./errors-and-warnings/NU3018.md), [NU3019](./errors-and-warnings/NU3019.md), [NU3020](./errors-and-warnings/NU3020.md), [NU3021](./errors-and-warnings/NU3021.md), [NU3022](./errors-and-warnings/NU3022.md), [NU3023](./errors-and-warnings/NU3023.md), [NU3024](./errors-and-warnings/NU3024.md), [NU3025](./errors-and-warnings/NU3025.md), [NU3026](./errors-and-warnings/NU3026.md), [NU3027](./errors-and-warnings/NU3027.md), [NU3028](./errors-and-warnings/NU3028.md), [NU3029](./errors-and-warnings/NU3029.md), [NU3030](./errors-and-warnings/NU3030.md), [NU3031](./errors-and-warnings/NU3031.md), [NU3032](./errors-and-warnings/NU3032.md), [NU3033](./errors-and-warnings/NU3033.md), [NU3035](./errors-and-warnings/NU3035.md), [NU3036](./errors-and-warnings/NU3036.md), [NU3037](./errors-and-warnings/NU3037.md), [NU3038](./errors-and-warnings/NU3038.md), [NU3040](./errors-and-warnings/NU3040.md), [NU3042](./errors-and-warnings/NU3042.md), [NU3043](./errors-and-warnings/NU3043.md)|
| Pack Warnings | [NU5100](./errors-and-warnings/NU5100.md), [NU5101](./errors-and-warnings/NU5101.md), [NU5102](./errors-and-warnings/NU5102.md), [NU5103](./errors-and-warnings/NU5103.md), [NU5104](./errors-and-warnings/NU5104.md), [NU5105](./errors-and-warnings/NU5105.md), [NU5106](./errors-and-warnings/NU5106.md), [NU5107](./errors-and-warnings/NU5107.md), [NU5108](./errors-and-warnings/NU5108.md), [NU5109](./errors-and-warnings/NU5109.md), [NU5110](./errors-and-warnings/NU5110.md), [NU5111](./errors-and-warnings/NU5111.md), [NU5112](./errors-and-warnings/NU5112.md), [NU5114](./errors-and-warnings/NU5114.md), [NU5115](./errors-and-warnings/NU5115.md), [NU5116](./errors-and-warnings/NU5116.md), [NU5117](./errors-and-warnings/NU5117.md), [NU5118](./errors-and-warnings/NU5118.md), [NU5119](./errors-and-warnings/NU5119.md), [NU5120](./errors-and-warnings/NU5120.md), [NU5121](./errors-and-warnings/NU5121.md), [NU5122](./errors-and-warnings/NU5122.md), [NU5123](./errors-and-warnings/NU5123.md), [NU5127](./errors-and-warnings/NU5127.md), [NU5128](./errors-and-warnings/NU5128.md), [NU5129](./errors-and-warnings/NU5129.md), [NU5130](./errors-and-warnings/NU5130.md), [NU5131](./errors-and-warnings/NU5131.md), [NU5133](./errors-and-warnings/NU5133.md), [NU5500](./errors-and-warnings/NU5500.md), [NU5501](./errors-and-warnings/NU5501.md)
| License specific Pack Warnings | [NU5124](./errors-and-warnings/NU5124.md), [NU5125](./errors-and-warnings/NU5125.md)
| Icon specific Pack Warnings | [NU5046](./errors-and-warnings/NU5046.md), [NU5047](./errors-and-warnings/NU5047.md), [NU5048](./errors-and-warnings/NU5048.md) |
39 changes: 39 additions & 0 deletions docs/reference/errors-and-warnings/NU3043.md
zivkan marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
title: NuGet Warning NU3043
description: NU3043 warning code
author: kartheekp-ms
ms.date: 09/11/2024
ms.topic: reference
f1_keywords:
- "NU3043"
---

# NuGet Warning NU3043

`dotnet nuget sign command` - Invalid value for `--certificate-fingerprint` option. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).

`NuGet.exe sign command` - Invalid value for `CertificateFingerprint` option. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).
kartheekp-ms marked this conversation as resolved.
Show resolved Hide resolved

> [!NOTE]
> This warning will be promoted to an error around the .NET 10 timeframe.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opinionated: when I view the preview for this page, this note block being such a contrasting colour from the rest of the page, it really steals my attention. But, I don't feel like "this will be an error in a future version" to be important enough to warrant taking away my attention from other parts of the doc.

Funnily enough, the docs contribution guide says this: https://learn.microsoft.com/en-au/contribute/content/markdown-reference#alerts-note-tip-important-caution-warning

Avoid notes, tips, and important boxes. Readers tend to skip over them. It's better to put that info directly into the article text.

So, I feel like it has the opposite problem, rather than skipping it, I find it hard to look away.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback. I removed the NOTE block.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope you've already had this conversation with other people, but since .NET 9 is a STS release, this means that a significant number of customers who only use LTS versions will upgrade directly from .NET 8 (no warning) to .NET 10 (apparently going to be an error), which means they won't have an opportunity to see the warning before it starts failing the operation.

This is even more impactful considering that customers might not actually test sign as soon as they upgrade to the .NET 10 SDK, similar to how we don't real sign in builds other than the official build. At least something affecting restore will be encountered on the first restore after the upgrade. Honestly, I can imagine some pipelines might not sign until just before pushing packages, which might mean that the command will be a release blocker, when there was "no" prior warning. It's entirely possible that customers will run sign in CI pipelines and never read the warning in the logs, but at least we'll be able to say that there was a warning in an LTS version of .NET that they could have seen if they read the logs.

So, it might be kinder to make this an error in .NET 11, rather than .NET 10.

Copy link
Contributor Author

@kartheekp-ms kartheekp-ms Sep 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great feedback. It makes sense to me. I will update the spec with this decision to promote this warning to an error around .NET 11 timeframe. https://github.com/NuGet/Client.Engineering/pull/3015

EDIT: Based on our internal conversation, we are leaning towards promoting the warning to an error in the .NET 10 timeframe. I have updated this PR again and closed the draft PR I created to update the spec.


## Solution
kartheekp-ms marked this conversation as resolved.
Show resolved Hide resolved

The certificate fingerprint value must be a SHA-256, SHA-384, or SHA-512 hash represented in hexadecimal format. Using a SHA-1 certificate fingerprint is considered invalid due to security concerns.

Customers can use the following PowerShell script to compute SHA-2 family hashes for certificates. To use the script, customers need to save the certificate to a local folder.
kartheekp-ms marked this conversation as resolved.
Show resolved Hide resolved

```ps1
$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certPath)
$stream = [System.IO.MemoryStream]::new($certificate.RawData)

Try
{
(Get-FileHash -Algorithm SHA256 $stream).Hash
}
Finally
{
$stream.Dispose()
$certificate.Dispose()
}
```