dotnet nuget verify doesn't seem to match the checks run on nuget.org
dylrich opened this issue · comments
NuGet Product Used
NuGet.exe
Product Version
8.0.105
Worked before?
No response
Impact
It bothers me. A fix would be nice
Repro Steps & Context
I was attempting to use an alternative nuget signing implementation from jsign when I ran into an issue uploading my nuget package to nuget.org that did not appear when I ran dotnet nuget verify ./mypackage.nupkg
. As a user I would expect that if my package passes the checks in verify
and my publish operation succeeds, my package should be well-formed and I should not receive a validation error later on from nuget.org. In order to prevent future bugs like ebourg/jsign#234, could the logic used for validation between nuget.org and dotnet nuget verify
be kept in sync?
Verbose Logs
No response
Related: #8875
could the logic used for validation between nuget.org and dotnet nuget verify be kept in sync
dotnet nuget verify currently only does signature verification. It does not have any context about a package being potentially published to nuget.org.
We wouldn't want to add noise to package authors that are never going to need to meet the nuget.org requirements.
What do you think about creating some other tooling that checks for compliance with nuget.org requirements? It is a bit frustrating as a package author to have nuget.org reject your package after accepting the package initially, with no way to run the same checks it is running yourself.
What do you think about creating some other tooling that checks for compliance with nuget.org requirements
I think that could work as well. I wasn't able to find duplicates on the NuGetGallery side or in #8875 in particular, but this has been a consideration in the past.
There have also been other approaches toward solving this problem such as #12874.
Note that the spec is merged and accepted, but not actively being worked on yet.