Skip to content

Commit 3280cac

Browse files
dtiveldtivel
authored
[release/6.0.4xx] Trusted roots: 2023-04 (#32571)
1 parent b1f74d3 commit 3280cac

File tree

2 files changed

+160
-0
lines changed

2 files changed

+160
-0
lines changed

src/Layout/redist/trustedroots/README.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
# Trusted X.509 Certificate Roots
2+
3+
This directory contains [Microsoft-maintained root certificate trust lists (CTL)](https://learn.microsoft.com/security/trusted-root/program-requirements) for [Code Signing (CS)](https://en.wikipedia.org/wiki/Code_signing), and [Time Stamping (TS)](https://en.wikipedia.org/wiki/Code_signing#Time-stamping). The .NET SDK uses these CTLs for [NuGet signing and validation](https://learn.microsoft.com/en-us/nuget/reference/signed-packages-reference), on Linux and macOS. They are also used in various Microsoft products.
4+
5+
- [Code signing CTL](codesignctl.pem)
6+
- [Timestamping CTL](timestampctl.pem)
7+
8+
The CTLs are stored in [PEM format](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail).
9+
10+
## Behavior
11+
12+
[NuGet uses these CTLs as a fallback](https://github.com/dotnet/sdk/issues/25686) when an OS-provided CTL is not available.
13+
14+
- Linux: The fallback CTL is typically used; however, an OS-provided CTL will be used if available (see `ca-certificates` section).
15+
- macOS: Package verification is not enabled by default, but when it is enabled, the fallback code signing CTL is always used since an OS-provided CTL is not available.
16+
- Windows: The fallback CTL is never used since an OS-provided CTL is always available (via an OS API).
17+
18+
## Linux
19+
20+
On Linux, NuGet will first probe for a code signing system bundle (multi-PEM file) using a [list of well-known paths](https://github.com/dotnet/designs/blob/main/accepted/2021/signed-package-verification/re-enable-signed-package-verification-technical.md#linux). The first successful match will be used. If no match is found or if there are problems processing the system bundle, NuGet will use the fallback bundle.
21+
22+
The timestamping CTL in the .NET SDK is always used. There doesn't seem to be any precedent for a timestamping-specific certificate bundle under `/etc/pki/ca-trust/extracted/pem`.
23+
24+
The `ca-certificates` package contains trusted roots on most Linux distributions. Some distributions hold the view that this package should be the sole source of roots. That approach results in a single package affecting the overall trust model (as it relates to X.509 certificates) of the machine/container. We are able to accommodate that approach for code signing root certificates.
25+
26+
Distributions are welcome to source the code signing roots for their `ca-certificates` package and to install them [according to our spec](https://github.com/dotnet/designs/blob/main/accepted/2021/signed-package-verification/re-enable-signed-package-verification-technical.md#linux). In that case, the fallback code signing CTL will not be used.
27+
28+
## macOS
29+
30+
On macOS, NuGet signed package verification is not enabled by default, due to the following issues:
31+
32+
- https://github.com/NuGet/Home/issues/11985
33+
- https://github.com/NuGet/Home/issues/11986
34+
35+
## Governance
36+
37+
Roots included in the respective CTLs conform to program requirements outlined by the [Microsoft Trusted Root Program](https://docs.microsoft.com/security/trusted-root/program-requirements).
38+
39+
Microsoft will typically update the CTLs in this repository within 30 days after [updates are published for Microsoft products](https://docs.microsoft.com/security/trusted-root/release-notes).
40+
41+
The CTLs are provided on an as-is basis, at no cost, and under the MIT license (same as this repo).
42+
43+
Issues can be filed at [dotnet/sdk](https://github.com/dotnet/sdk/issues) or [NuGet/Home](https://github.com/NuGet/Home/issues).

src/Layout/redist/trustedroots/timestampctl.pem

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9024,3 +9024,120 @@ aXnCgUGKtiG9tfBMUw3fChoPb9L1yKdNof3zXDdTloMqEpO4BFrmjco8kt1v0LUQ
90249024
PhNZmQP4nqd4Hqx2384nPmWDXbQ+eePyxRteYGY0hJeDLVpyeYG8VQ==
90259025
-----END CERTIFICATE-----
90269026

9027+
-----BEGIN CERTIFICATE-----
9028+
MIIGEjCCA/qgAwIBAgIQPPt99H6ktMZyoD/D0lx8xjANBgkqhkiG9w0BAQsFADB4
9029+
MQswCQYDVQQGEwJNTzExMC8GA1UEChMoTWFjYW8gUG9zdCBhbmQgVGVsZWNvbW11
9030+
bmljYXRpb25zIEJ1cmVhdTE2MDQGA1UEAxMtZVNpZ25UcnVzdCBSb290IENlcnRp
9031+
ZmljYXRpb24gQXV0aG9yaXR5IChHMDMpMB4XDTE3MDEwMTAwMDAwMFoXDTQxMTIz
9032+
MTIzNTk1OVoweDELMAkGA1UEBhMCTU8xMTAvBgNVBAoTKE1hY2FvIFBvc3QgYW5k
9033+
IFRlbGVjb21tdW5pY2F0aW9ucyBCdXJlYXUxNjA0BgNVBAMTLWVTaWduVHJ1c3Qg
9034+
Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAoRzAzKTCCAiIwDQYJKoZIhvcN
9035+
AQEBBQADggIPADCCAgoCggIBAMRTjgN1XSSze9lMBwJY56POLX9YVbYWxPJx8Pzo
9036+
055B1hR9N6OdkFzPMiSq5LgxZ8JjlqXK82lWKv/JMEZBKcQ20k70hgaQMce/7SXv
9037+
w5lTQ+O4cNzf7yXVv5/BgOQTtz+ESYJEeniTXeWt1GLyy1NC7hGT79azuQ0I3qnK
9038+
EyOWUGlboD/2H5M6yPlBXzb334tgTFZ9h8e3m4eoAyj4Aq5tLQwCJPjkcSXcigDn
9039+
iOKxs7bStSSQkoNzp7x4DbgAcNRiPMVXhx/aAGU1KBZ6mPKeYijBBsm1pd1fCPuI
9040+
Q/qjoiF8gAZl/L66u06Sv5f2JHiIkksW63KN2Vof4v8PtHjCZg4Rqm6HMkbOX89/
9041+
icxalBVVeEpndvhOSn4i5Pg8xU0YLx3hbe1/P56+pG2Rvv4lHGy1Ic9skiR/gJ72
9042+
IKwUe+fg2hI0RXHODNRmOF1vVqm4mW4zdg7aGJK/r3fx5NucUsR8yIyBUyX/Cnvs
9043+
a8AT+zp5/7zvERvbVnVFW/usZYZ/QtWLGRAEKne6t4PDCMIYapVuFgM3mXGGPq97
9044+
ZsX+sKeACuqi4xLCVlFm+uQ5rSAfxQqUknUrQZicUAM3msRezyFa6nitTfzl/MGV
9045+
2IM0AtyKgflZJtXlf5M/dfcRIKdoliAluHy30mA+JgsGL91ab/H9Dyiu9z+fHbVZ
9046+
8abNAgMBAAGjgZcwgZQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
9047+
MQYDVR0RBCowKKQmMCQxIjAgBgNVBAMTGU1QRVNULVBST0QtT2ZmbGluZS00MDk2
9048+
LTEwHQYDVR0OBBYEFBzgIGE9BuTtLG1VuI41rtls5UeBMB8GA1UdIwQYMBaAFBzg
9049+
IGE9BuTtLG1VuI41rtls5UeBMA0GCSqGSIb3DQEBCwUAA4ICAQBcONUKhiMtAWTY
9050+
xoo2RwG1wt42Zs+CXIAwaxX/n3SCwrQ5c2MVJrQtGJAsdONidAJOsQo45z2ah1WK
9051+
FMtDfQHyfIfcv0fbgjPgfZ+H2XfnQCujZgNQOVPokBtk6JLVdRkM8QEI/ST7DZB1
9052+
OtsXl32gZRpgf3bC/1fHm1N94wbEvfZp1l9XjYW9yhJxUJt+/4qTlEEojG1D7WaE
9053+
DagxBGfe7WM7bDAg39TtsTeB7eCrQC4aQvnyYeA86AinuF4BerjVKcwPHl1F+ld/
9054+
7h8xMONwpNCa49/TK2SeUKQzd/PZbSXz+quSYKAefbW03P4NOFah5duW/Nl+zfwn
9055+
ExGik+Y7NZfXCQ/MhboMrJ5QjVJHULobOqoX5sDYGxo+GDwXz2iEgOBETijPKkPx
9056+
x7iqx55Wfn/H1fsUmMMggB7+dS1jmKf1BVKpXn7pUCm2qZMuaGYJFBv8q5wIaTXa
9057+
c5fOAi9MapIBymFIYY+DjjZxyRraIBn9gYLvwYD8V9R/+SnU3fQ/84CXPp9OHaRk
9058+
uZehgmYi1uQgYIm1/mkNKy7WBIOdlHHMw2i6bKqFp7Ia4OtAP4nfa2oIQ8T0jENJ
9059+
H/gEwUuTxYZSitBj00TEX528OsyuKoD9OFYsPyamAJclOWXL23QBEXaru0rkm2f0
9060+
N6rD89yf8GkKtB/r2OAom62ooTchLg==
9061+
-----END CERTIFICATE-----
9062+
9063+
-----BEGIN CERTIFICATE-----
9064+
MIICKzCCAbGgAwIBAgIQVWKmxZS9D8nZwdZJtffjFTAKBggqhkjOPQQDAzBXMQsw
9065+
CQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVT
9066+
ZWN0aWdvIFB1YmxpYyBUaW1lIFN0YW1waW5nIFJvb3QgRTQ2MB4XDTIxMDMyMjAw
9067+
MDAwMFoXDTQ2MDMyMTIzNTk1OVowVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1Nl
9068+
Y3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgVGltZSBTdGFt
9069+
cGluZyBSb290IEU0NjB2MBAGByqGSM49AgEGBSuBBAAiA2IABNyiD7Sl1t4p03wW
9070+
ByX1PBd702QZC2WxghlJwr4YXAfE48F84LhBns77yP5KSCqZo+dtvK7/MhSh4k5I
9071+
CLdCR2JwDQbN28S1ypkwT0e4hXM0etMtOotYSlxf8N3ClyGjt6NCMEAwHQYDVR0O
9072+
BBYEFMxHPqoV3ZI2JS+wAd/PbkXBXd8qMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMB
9073+
Af8EBTADAQH/MAoGCCqGSM49BAMDA2gAMGUCMECx3XLh2pJo9kD1/Cukj9yf5Uml
9074+
MuxgVfxVVvUlYGGz3v4sOgSRDHvy6mzE2WsaVAIxAI4DpnVIJ0Yr/nI9+bExuc8l
9075+
lPov4BAdnS880mtVlyBYc/s7+vZpK+XBTnzXXeZgOw==
9076+
-----END CERTIFICATE-----
9077+
9078+
-----BEGIN CERTIFICATE-----
9079+
MIIFejCCA2KgAwIBAgIQeD0FbPqDLn5p+FYidp8CuTANBgkqhkiG9w0BAQwFADBX
9080+
MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQD
9081+
EyVTZWN0aWdvIFB1YmxpYyBUaW1lIFN0YW1waW5nIFJvb3QgUjQ2MB4XDTIxMDMy
9082+
MjAwMDAwMFoXDTQ2MDMyMTIzNTk1OVowVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoT
9083+
D1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgVGltZSBT
9084+
dGFtcGluZyBSb290IFI0NjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
9085+
AIid2LlFZ50d3ei5JoGaVFTAfEkFm8xaFQ/ZlBBEtEFAgXcUmanU5HYsyAhTXiDQ
9086+
kiUvpVdYqZ1uYoZEMgtHES1l1Cc6HaqZzEbOOp6YiTx63ywTon434aXVydmhx7Dx
9087+
4IBrAou7hNGsKioIBPy5GMN7KmgYmuu4f92sKKjbxqohUSfjk1mJlAjthgF7Hjx4
9088+
vvyVDQGsd5KarLW5d73E3ThobSkob2SL48LpUR/O627pDchxll+bTSv1gASn/hp6
9089+
IuHJorEu6EopoB1CNFp/+HpTXeNARXUmdRMKbnXWflq+/g36NJXB35ZvxQw6zid6
9090+
1qmrlD/IbKJA6COw/8lFSPQwBP1ityZdwuCysCKZ9ZjczMqbUcLFyq6KdOpuzVDR
9091+
3ZUwxDKL1wCAxgL2Mpz7eZbrb/JWXiOcNzDpQsmwGQ6Stw8tTCqPumhLRPb7YkzM
9092+
8/6NnWH3T9ClmcGSF22LEyJYNWCHrQqYubNeKolzqUbCqhSqmr/UdUeb49zYHr7A
9093+
LL8bAJyPDmubNqMtuaobKASBqP84uhqcRY/pjnYd+V5/dcu9ieERjiRKKsxCG1t6
9094+
tG9oj7liwPddXEcYGOUiWLm742st50jGwTzxbMpepmOP1mLnJskvZaN5e45NuzAH
9095+
teORlsSuDt5t4BBRCJL+5EZnnw0ezntk9R8QJyAkL6/bAgMBAAGjQjBAMB0GA1Ud
9096+
DgQWBBT2d2rdP/0BE/8WoWyCAi/QCj0UJTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0T
9097+
AQH/BAUwAwEB/zANBgkqhkiG9w0BAQwFAAOCAgEACv68sZqZvmHk7JoU7AfTEZ7b
9098+
X45u40OrLX/6vzHQAwDg1TB00bWbiwj+7+we60BP8AMsw1h5NCXWxeyvrEVC54Mi
9099+
rwVrcF6SFGjRwRoelRuiaZ5FDO4oWhaePjZx3/jkQ7j653CA5WscYqlneLXBEZiY
9100+
o6rRNqnsZHZTQ606mlkNpsy3TFMADv5whZmilVEZ83OvydfH2DNL3FTkpZG7+lHS
9101+
1DFHMSUB5UtSSeSRg2UWTXwU5oObGjFk/35fC/dlF+nJIXdqsw0TZSS86bi5GRCJ
9102+
VjqjnkpZ0Jut7ucEv4PNOIU8ijkMRj17QPjHMtdy+WxBDDSdas/UFTVB/GF+Fofn
9103+
OD3iZ4tXxFjPU3EWRcMWx8fcGyzlBfcjeoPNbNC7wfyV9Qkzfk2Bd48jGxG7OThY
9104+
Wolc56vmBHqDEfguDwYc9AeWirMVRDi+WYlsktzAEObiFoPqs+LWU5q7+Q1+nEcs
9105+
tNuDIedeBRcHmtjL2hV3luuEWwDSnRhSjhPLPXzqpJ1rG3r4yqm1NjKg5A5QO9Az
9106+
veHqRQldluTSKuu96oPEPusL2oF+4MxkJ+SQMGFWTw/PNCblUN8GXeL5+mR20diP
9107+
5LiJMq8U3IpM/0Q7OFFQ+lXuYFIuDvUprWBPsp5La2WhL2+iLVVXItSl7up5yQqX
9108+
XftzTXTX48FRiJ6PA9o=
9109+
-----END CERTIFICATE-----
9110+
9111+
-----BEGIN CERTIFICATE-----
9112+
MIIFkzCCA3ugAwIBAgIRAPZw+VmI9FIFjjHhaIY++nowDQYJKoZIhvcNAQELBQAw
9113+
YzELMAkGA1UEBhMCVFcxIzAhBgNVBAoMGkNodW5naHdhIFRlbGVjb20gQ28uLCBM
9114+
dGQuMS8wLQYDVQQDDCZlUEtJIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
9115+
LSBHNDAeFw0yMjExMDMwMzQzMTRaFw00NzExMDMxNTU5NTlaMGMxCzAJBgNVBAYT
9116+
AlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEvMC0GA1UE
9117+
AwwmZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzQwggIiMA0G
9118+
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+6rvkEY1CtqIA4KNcNzeta2TDeCz4
9119+
6DTWdEh/JPozqkf6VlTlS994ce3jGXJQeboea4tAmvNa/9OUidhfJJ9JwbIuiCKd
9120+
q7ANTuyYZaS0qAw3jT9cnmbuZfCwlpwtvFzqQnMjDW7Q9WWS3rP2pZjPoo7k0T9q
9121+
sLbjdWKTn3SZd75x7OhhVQ9wcvgeX79pGQ/KzRg1Gxmiuo38yLsEqQGhNejQhfE/
9122+
FePtjqbmFx/SvDEWYi+BXJUC/KYM/VfZiuMRvsoQuNuP3SNY67H8ontqCzgagQCg
9123+
M16geYHsNQg3sWl3C6pKMMOUxeC9lMsF/auHNTRNI9CRneAdjICoe+Ue7mnS7RSr
9124+
9a+BaW7WywY6pxAq9bJqvUM6Z7sSVpjeeGHmxGn6UCUFdsC734CxTIctDJSQD4z/
9125+
FTYmfBAe/QitHqGyrqVvXgtEcdBgyj983usjimugpQS2Wt9K5fVc2Kgiydwuw6l4
9126+
rt+mDcRlr6rohFhNy8e74ipgOaby0xUxx5ce/5BiLKYEiCbTz4oeT+q0vudcahmu
9127+
ibWi39QwhHDzvLsU6quVHWzcvRnab6eVCkT2MjkFcMbmaIxQpx1WWyUBmR8gfQFT
9128+
XMTsYlu6tK3SDcwklJcg0MB/IPv/yXqoFAsH5Lar2rBzZ4jE1qa92EZo496Jt0tf
9129+
zYrb9eImYfkRsQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSN
9130+
zwp8byGdtlOqRml82j91ZFSgmDAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL
9131+
BQADggIBAFyhwJkz+xQyLikIZWBqMVBDS5UvIrL34rqPmfwII5ZJUQHc0zgXgKt+
9132+
2lL0JhqXXTvPuSkvv8UvmEOymBnGH5vPIs/hq8LI53zZZj07KqRQN8wBZ/QsAhKG
9133+
po5GKhwwkSPyLZKcEJ4VwJMBkd1du47utkUn8QZk/0O0TEt/FU4comJUpZu8+Obz
9134+
bDRV1CvWs/5hPX4SQRYNaNSwVpadl85t2rqD5gCmdmu3Jkoc8jnZAue5aLiblf0K
9135+
sUOKMBDH8r+LKIAdAKY53t1RG++9v9nJ1rPEPkl8k0kvyWYDwT0ZE1ptK0dCtKpw
9136+
wmmtT12PjZUEOBX9tCjBob0K16cmqYn46IbL938Y7EBigVSPvP9u3CvBXlySb3mB
9137+
E5KcUwakkoXgaMseZOJ4fKgaxFWwglJ3htLjMvFtoR87IZUELPKfu3SoUrXai1bu
9138+
jou0nrgG3B0/NjrcPHAmAK+GrY/nYyCWxnfmxVxCigAvVTcv70fTSxcXbAnMmZja
9139+
26b/OzJ7Irt4Iw0ktpDJOaDhH+20hbOwz4qulcGQqU3nbiFYjkhxBE3vYi3hkdOM
9140+
G4fSJZP29CmjjLEg1BHz4PzxZ7F++iAbKdOwSalNVNmqduMnYFkKE1M3LjVxiJ5R
9141+
wyY+yw0SA2BnkQyMAdxv+8ALpRv5xI+OAegoZPS/BHLZ3NH0iv/K
9142+
-----END CERTIFICATE-----
9143+

0 commit comments

Comments
 (0)