[DCR] Raise an error for SHA-1 fingerprints usage in NuGet.exe sign command #13962
Labels
Functionality:Signing
Priority:2
Issues for the current backlog.
Product:NuGet.exe
NuGet.exe
Type:DCR
Design Change Request
Comments
kartheekp-ms
added
Type:DCR
This was referenced Nov 26, 2024
kartheekp-ms
added
Tenet:Security
Priority:2
|
Made some changes in NuGet/NuGet.Client#6163 for NuGet.exe and in NuGet/NuGet.Client#6164 for mssign commands but closed the PRs because the timing is not correct. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NuGet Product(s) Affected
NuGet.exe
Current Behavior
nuget.exe sign commands to accept fingerprints from the SHA-2 family (SHA256, SHA384, or SHA512) instead of SHA-1. If a SHA-1 fingerprint is passed, the commands raise a NU3043 warning indicating that SHA-1 is insecure. This error should be eventually escalated to an error around the .NET 10 timeframe to enforce stronger security standards.
Desired Behavior
nuget.exe sign command to accept fingerprints from the SHA-2 family (SHA256, SHA384, or SHA512) instead of SHA-1. If a SHA-1 fingerprint is passed, the commands raise an error indicating that SHA-1 is insecure. This approach will enhance security by ensuring that only strong, approved hash algorithms are used in NuGet sign commands.
Additional Context
Related to #13891
The text was updated successfully, but these errors were encountered: