Enable signature verification on Linux CI machines

NuGet · Jan 10, 2023 · 6e190a4 · 6e190a4
1 parent 9a60318
commit 6e190a4
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 4 deletions.
diff --git a/eng/pipelines/templates/pipeline.yml b/eng/pipelines/templates/pipeline.yml
@@ -182,6 +182,7 @@ stages:
       MSBUILDDISABLENODEREUSE: 1
       # Set MSBuildEnableWorkloadResolver to work around https://github.com/dotnet/sdk/issues/17461
       MSBuildEnableWorkloadResolver: false
+      DOTNET_NUGET_SIGNATURE_VERIFICATION: true
     condition: "and(succeeded(), eq(variables['RunTestsOnLinux'], 'true'))"
     pool:
       vmImage: ubuntu-latest

diff --git a/src/NuGet.Core/NuGet.Packaging/PackageArchiveReader.cs b/src/NuGet.Core/NuGet.Packaging/PackageArchiveReader.cs
@@ -527,7 +527,8 @@ public override bool CanVerifySignedPackages(SignedPackageVerifierSettings verif
             else if (RuntimeEnvironmentHelper.IsLinux || RuntimeEnvironmentHelper.IsMacOSX)
             {
                 // Please note: Linux/MAC case sensitive for env var name.
-                string signVerifyEnvVariable = _environmentVariableReader.GetEnvironmentVariable("DOTNET_NUGET_SIGNATURE_VERIFICATION");
+                string signVerifyEnvVariable = _environmentVariableReader.GetEnvironmentVariable(
+                    EnvironmentVariableConstants.DotNetNuGetSignatureVerification);
 
                 bool canVerify = false;
 

diff --git a/src/NuGet.Core/NuGet.Packaging/Signing/EnvironmentVariableConstants.cs b/src/NuGet.Core/NuGet.Packaging/Signing/EnvironmentVariableConstants.cs
@@ -0,0 +1,10 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace NuGet.Packaging.Signing
+{
+    internal static class EnvironmentVariableConstants
+    {
+        internal const string DotNetNuGetSignatureVerification = "DOTNET_NUGET_SIGNATURE_VERIFICATION";
+    }
+}
diff --git a/test/NuGet.Core.Tests/NuGet.Packaging.Test/PackageArchiveReaderTests.cs b/test/NuGet.Core.Tests/NuGet.Packaging.Test/PackageArchiveReaderTests.cs
@@ -2092,24 +2092,36 @@ public void CanVerifySignedPackages_ReturnsValueBasedOnOperatingSystemAndFramewo
             using (var packageArchiveReader = new PackageArchiveReader(packageStream, environmentVariableReader: environment.Object))
             {
                 // Act
-                bool expectedResult = CanVerifySignedPackages();
+                bool expectedResult = CanVerifySignedPackages(environment.Object);
                 bool actualResult = packageArchiveReader.CanVerifySignedPackages(null);
 
                 // Assert
                 Assert.Equal(expectedResult, actualResult);
             }
         }
 
-        private static bool CanVerifySignedPackages()
+        private static bool CanVerifySignedPackages(IEnvironmentVariableReader environmentVariableReader = null)
         {
-            return RuntimeEnvironmentHelper.IsWindows &&
+            return (RuntimeEnvironmentHelper.IsWindows ||
+                IsVerificationEnabledByEnvironmentVariable(environmentVariableReader)) &&
 #if IS_SIGNING_SUPPORTED
                 true;
 #else
                 false;
 #endif
         }
 
+        private static bool IsVerificationEnabledByEnvironmentVariable(
+            IEnvironmentVariableReader environmentVariableReader = null)
+        {
+            IEnvironmentVariableReader reader = environmentVariableReader ?? EnvironmentVariableWrapper.Instance;
+
+            string value = reader.GetEnvironmentVariable(
+                EnvironmentVariableConstants.DotNetNuGetSignatureVerification);
+
+            return string.Equals(bool.TrueString, value, StringComparison.OrdinalIgnoreCase);
+        }
+
         private static string ExtractFile(string sourcePath, string targetPath, Stream sourceStream)
         {
             using (var targetStream = File.OpenWrite(targetPath))