Skip to content

Commit

Permalink
Update security.md
Browse files Browse the repository at this point in the history
  • Loading branch information
josephdecock authored Aug 1, 2024
1 parent e0e7d81 commit 2ce3008
Showing 1 changed file with 2 additions and 12 deletions.
14 changes: 2 additions & 12 deletions IdentityServer/v7/docs/content/overview/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,23 +73,13 @@ that in many circumstances, the NuGet tools can validate our packages' signature
automatically.

However, some environments (notably the dotnet sdk docker image which is
sometimes used in
build pipelines) do not trust the Sectigo certificate. Typically this isn't a problem,
because NuGet packages distributed by nuget.org are signed by nuget.org as the repository
in addition to Duende's signature as the publisher. nuget.org's certificate is signed by a
different authority that most build pipelines do trust. The NuGet tools will validate
packages if they trust either the publisher or the repository.

In the rare circumstance that we distribute a NuGet package not through nuget.org (and
therefore without a nuget.org repository signature), it might be necessary to add the
sometimes used in build pipelines) do not trust the Sectigo certificate. In that case, it might be necessary to add the
Sectigo root certificate to NuGet's code signing certificate bundle. Sectigo's root
certificate is available from Sectigo
[here](http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c).

#### Trusting the Sectigo certificate
Here is an example of how to configure NuGet to validate a package signed by Duende but
not signed by nuget.org in the docker dotnet sdk image - an environment that does not
trust Sectigo by default.
Here is an example of how to configure NuGet to trust the Sectigo root CA on the dotnet sdk docker image.

First, get the Sectigo certificate and convert it to PEM format:
```sh
Expand Down

0 comments on commit 2ce3008

Please sign in to comment.