From f05ee4289622303d896a71d828e525e626a2a5d8 Mon Sep 17 00:00:00 2001 From: Joe DeCock Date: Fri, 19 Jul 2024 08:53:20 -0500 Subject: [PATCH 1/2] Fix a link that hugo complained about --- IdentityServer/v6/docs/content/upgrades/is4_v3_to_dis_v6.md | 2 +- IdentityServer/v7/docs/content/upgrades/is4_v3_to_dis_v6.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/IdentityServer/v6/docs/content/upgrades/is4_v3_to_dis_v6.md b/IdentityServer/v6/docs/content/upgrades/is4_v3_to_dis_v6.md index 878e1b4a..d49911b9 100644 --- a/IdentityServer/v6/docs/content/upgrades/is4_v3_to_dis_v6.md +++ b/IdentityServer/v6/docs/content/upgrades/is4_v3_to_dis_v6.md @@ -137,4 +137,4 @@ At this point, you should be able to query your migrated database and see your d ## Step 4: Move onto the upgrade guide for Duende IdentityServer v6 Once your project has been updated to IdentityServer4 v4, then you can work through the guide to update from IdentityServer4 v4 to Duende IdentityServer v6 (which should be far easier). -Here is the [link to the next upgrade guide]({{< ref "/is4_v4_to_dis_v6" >}}). +Here is the [link to the next upgrade guide]({{< ref "is4_v4_to_dis_v6" >}}). diff --git a/IdentityServer/v7/docs/content/upgrades/is4_v3_to_dis_v6.md b/IdentityServer/v7/docs/content/upgrades/is4_v3_to_dis_v6.md index 878e1b4a..d49911b9 100644 --- a/IdentityServer/v7/docs/content/upgrades/is4_v3_to_dis_v6.md +++ b/IdentityServer/v7/docs/content/upgrades/is4_v3_to_dis_v6.md @@ -137,4 +137,4 @@ At this point, you should be able to query your migrated database and see your d ## Step 4: Move onto the upgrade guide for Duende IdentityServer v6 Once your project has been updated to IdentityServer4 v4, then you can work through the guide to update from IdentityServer4 v4 to Duende IdentityServer v6 (which should be far easier). -Here is the [link to the next upgrade guide]({{< ref "/is4_v4_to_dis_v6" >}}). +Here is the [link to the next upgrade guide]({{< ref "is4_v4_to_dis_v6" >}}). From fbc447f709abdec658c42b3b5e9fcdcd87810ddc Mon Sep 17 00:00:00 2001 From: Joe DeCock Date: Fri, 19 Jul 2024 09:23:25 -0500 Subject: [PATCH 2/2] Update code signing discussion --- .../v7/docs/content/overview/security.md | 26 ++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/IdentityServer/v7/docs/content/overview/security.md b/IdentityServer/v7/docs/content/overview/security.md index e5a9c09a..783c7e1d 100644 --- a/IdentityServer/v7/docs/content/overview/security.md +++ b/IdentityServer/v7/docs/content/overview/security.md @@ -69,19 +69,20 @@ Duende IdentityServer is a [certified](https://openid.net/certification/) implem NuGet packages published by Duende are cryptographically signed to ensure their authenticity and integrity. Our certificate is signed by Sectigo, which is a widely trusted certificate authority and installed by default in most environments. This means -that in many circumstances, the nuget tools can validate our packages' signatures +that in many circumstances, the NuGet tools can validate our packages' signatures automatically. -However, some environments (notably the dotnet sdk docker image which is sometimes used in +However, some environments (notably the dotnet sdk docker image which is +sometimes used in build pipelines) do not trust the Sectigo certificate. Typically this isn't a problem, because NuGet packages distributed by nuget.org are signed by nuget.org as the repository in addition to Duende's signature as the publisher. nuget.org's certificate is signed by a -different authority that most build pipelines do trust. The nuget tools will validate +different authority that most build pipelines do trust. The NuGet tools will validate packages if they trust either the publisher or the repository. In the rare circumstance that we distribute a NuGet package not through nuget.org (and therefore without a nuget.org repository signature), it might be necessary to add the -Sectigo root certificate to nuget's code signing certificate bundle. Sectigo's root +Sectigo root certificate to NuGet's code signing certificate bundle. Sectigo's root certificate is available from Sectigo [here](https://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c). @@ -92,15 +93,28 @@ trust Sectigo by default. First, get the Sectigo certificate and convert it to PEM format: ```sh -wget https://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c +wget http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c openssl pkcs7 -inform DER -outform PEM -in SectigoPublicCodeSigningRootR46.p7c -print_certs -out sectigo.pem ``` + +Next, you should validate that the thumprint of the certificate is correct. +Bootstrapping trust in a certificate chain can be challenging. Fortunately, most +desktop environments already trust this certificate, so you can compare the +downloaded certificate's thumprint to the thumbprint of the certificate on a +machine that already trusts it. You should verify this independently, but for +your convenience, the thumprint is +CC:BB:F9:E1:48:5A:F6:3C:E4:7A:BF:8E:9E:64:8C:25:04:FC:31:9D. You can check the +thumbprint of the downloaded certificate with openssl: +```sh +openssl x509 -in sectigo.pem -fingerprint -sha1 -noout +``` + Then append that PEM to the certificate bundle at */usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem*: ```sh cat sectigo.pem >> /usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem ``` -After that, nuget packages signed by Duende can be successfully verified, even if they are not distributed by nuget.org: +After that, NuGet packages signed by Duende can be successfully verified, even if they are not distributed by nuget.org: ```sh dotnet nuget verify Duende.IdentityServer.7.0.x.nupkg ```