Skip to content

Symbol package snupkg isn't getting pushed when the package is signed with valid certificate. #12992

New issue
New issue
Open
Open
Symbol package snupkg isn't getting pushed when the package is signed with valid certificate.#12992
Labels
Area:PackageDefinitionArea:SymbolsPriority:3Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog.Triage:NeedsDesignSpecType:Feature
@moh-hassan

Description

@moh-hassan
moh-hassan
opened on Nov 7, 2023

NuGet Product Used

dotnet.exe

Product Version

nuget.exe

Worked before?

non signed package with non signed symbol is pushed fine.

Impact

It bothers me. A fix would be nice

Repro Steps & Context

I upload nuget signed package with valid certificate in appveyor as:

- provider: NuGet
  api_key: 
    secret: aaaabbbbbb

The nupkg package is pushed successfully but the symbol snupkg failed with a message:

Error publishing package. NuGet server returned 400: Invalid file found in the uploaded package. 
Symbols packages should only contain '.pdb' files.

I tried to push the symbol by dotnet nuget command using the script as:

set key=aaaaabbbbb
set source=https://api.nuget.org/v3/index.json
dotnet nuget push mypackage.6.2.1.snupkg -k %key%  -s %source%

and get the same error:

Pushing mypackage.6.2.1.snupkg to 'https://www.nuget.org/api/v2/symbolpackage'...
  PUT https://www.nuget.org/api/v2/symbolpackage/
  BadRequest https://www.nuget.org/api/v2/symbolpackage/ 1514ms
error: Response status code does not indicate success: 400 (Invalid file found in the uploaded package. 
Symbols packages should only contain '.pdb' files.).

In MyGet server I can push the signed package and the signed symbol without error.

What i missed to push the signed symbol package.

Verbose Logs

No response

Activity

moh-hassan
added
Triage:Untriaged
Type:Bug
on Nov 7, 2023
jebriede

jebriede commented on Nov 9, 2023

@jebriede
jebriede
on Nov 9, 2023
Contributor

@moh-hassan thanks for reporting the issue. Certificates should not play a role in publishing. NuGet Client does not validate certificates when pushing.

It looks like you're getting different validation behavior when pushing your snupkg to appveyor, nuget.org, and MyGet, but this behavior is implemented by the respective servers, and is not controlled or enforced on the Client side.

Given the nuget.org reported behavior, it is possible that your snupk includes files other than pdb files. Please ensure that your snupkg follows the structure outlined in the official documentation: https://learn.microsoft.com/en-us/nuget/create-packages/symbol-packages-snupkg#symbol-package-structure.

How are you creating the snupkg? Could you please inspect the contents of the snupkg and verify if all the files contained within are pdb files? Please let us know.

jebriede
removed
Triage:Untriaged
on Nov 9, 2023
moh-hassan

moh-hassan commented on Nov 10, 2023

@moh-hassan
moh-hassan
on Nov 10, 2023 · edited by moh-hassan
Author

Thanks @jebriede for reply.
The package is signed by SignPath.
It include extra file named: AppVeyorSettings.json. It is a json file that represent appveyor Ci Environment at the moment of building and it is (from SignPath docs):

a CI integrations with origin verification.
Origin verification ensures that a signed artifact is the result of building a specific source code version.

AppVeyorSettings.json is included in all signed packages and they are pushed without problem(except snupkg symbol package).
It means that the snupkg include pdb files and match docs plus one extra file 'AppVeyorSettings.json'

I can push the unsigned snupkg without problem by command (I did ).

It is nice if pushing snupkg allow inclusion such files AppVeyorSettings.json in the signed snupkg.
If you agree, you can change label to Feature Request
Let me know if there is a technical constraint for inclusion AppVeyorSettings.json so i can avoid signing snupkg and use it as is with the signed nupkg.

jebriede
added
WaitingForClientTeamCustomer replied, needs attention from client team. Do not apply this label manually.
on Nov 13, 2023
jeffkl
added
Type:Feature
Triage:NeedsTriageDiscussion
and removed
Type:Bug
WaitingForClientTeamCustomer replied, needs attention from client team. Do not apply this label manually.
on Nov 15, 2023
nkolev92
added
Area:PackageDefinition
Area:Symbols
Triage:NeedsDesignSpec
and removed
Triage:NeedsTriageDiscussion
on Nov 20, 2023
nkolev92

nkolev92 commented on Nov 20, 2023

@nkolev92
nkolev92
on Nov 20, 2023
Member

cc @JonDouglas @albarry4
cc @mariaghiondea @aortiz-msft

Any chances here would require coordination across both products.

4 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Area:PackageDefinitionArea:SymbolsPriority:3Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog.Triage:NeedsDesignSpecType:Feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Symbol package snupkg isn't getting pushed when the package is signed with valid certificate. · Issue #12992 · NuGet/Home