Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for Publishing "Packed" Modules to PSGallery #1635

Open
SydneyhSmith opened this issue Apr 15, 2024 · 2 comments
Open

Allow for Publishing "Packed" Modules to PSGallery #1635

SydneyhSmith opened this issue Apr 15, 2024 · 2 comments
Labels
Area-Publish feature_request
Projects
1.1

Comments

@SydneyhSmith
Copy link
Collaborator

Summary of the new feature / enhancement

PSResourceGet Pack and Push

Goals

  1. Allow for publishing signed PowerShell modules as nupkgs to PSGallery and ACR (what defines a module? It needs a psd1)
  2. Allow for publishing nuspec dependencies into ACR
  3. Create a new cmd for packing a PowerShell module

"Pack" design

Compress-PSResource [-Path] <String[]> [-DestinationPath] <String> [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]

"Push" design

Add an additional parameter set which takes a path to a nupkg

Publish-PSResource -NupkgPath "myPathtoNupkg" -Repository [Container] [PSGallery] -APIkey -SkipDependencyCheck

Screening for Modules

At this time PSGallery will only support this feature for modules, not arbitrary nupkgs

Proposed technical implementation details (optional)

No response
@SydneyhSmith
Copy link
Collaborator Author

Related issues
#1393
#310

@aluty
Copy link

aluty commented Apr 26, 2024
edited

Using NuGet Version: 6.9.1.3 (https://www.nuget.org/downloads)

Symptom
nuget verify -Signatures "%USERPROFILE%\Downloads\name.major.minor.patch.nupkg"

Verifying name.major.minor.patch
%USERPROFILE%\Downloads\name.major.minor.patch.nupkg

Finished with 1 errors and 0 warnings.
NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an invalid value (8).

Package signature validation failed.

Expected
Original unmangled Nuget package PSModule.

Signature Hash Algorithm: SHA256

Signature type: Author
Verifying the author primary signature with certificate:

  Subject Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  ...
  
  Successfully verified package 'name.major.minor.patch'.

Problem
Publishing process unpacks, extracts metadata, updates (rewrites and appends tags), and repacks.

Comparing package content of original to published, PSGallery modifies package:

  • Updates (appends) values in [Content_Types].xml
  • Adds PSGetModuleInfo.xml file
  • Updates *.nuspec by removing metadata entries and updating tags.

These repackaging changes invalidate the .signature.p7s file.

See also https://github.com/NuGet/Home/wiki/Package-Immutability

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Publish feature_request
Projects
1.1
Awaiting triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aluty @SydneyhSmith