Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nuget source password encryption story #1851

Open
yishaigalatzer opened this issue Dec 18, 2015 · 40 comments · Fixed by NuGet/NuGet.Client#813
Open

nuget source password encryption story #1851

yishaigalatzer opened this issue Dec 18, 2015 · 40 comments · Fixed by NuGet/NuGet.Client#813
Assignees
Labels
Area:Authentication Platform:Xplat Priority:2 Issues for the current backlog. Product:dotnet.exe Resolution:BlockedByExternal Progress on this task is blocked by an external issue. When that issue is completed this can proceed Tenet:Security Type:Feature

Comments

@yishaigalatzer
Copy link

yishaigalatzer commented Dec 18, 2015

Rob adding text on 2/10/2017:
nuget.exe | dotnet.exe can now use encrypted passwords in nuget.config files -- when running on windows ONLY.
Ideally, we'd support dotnet.exe on other platforms too, so they don't need to store passwords via cleartext.

This would need APIs from .NET Core. See the related https://github.com/dotnet/corefx/issues/6746

@yishaigalatzer
Copy link
Author

CC @anurse @davidfowl

@emgarten
Copy link
Member

emgarten commented Feb 4, 2016

Is this needed for xplat?

@yishaigalatzer
Copy link
Author

Yes but not for rc, and debatable for rtm

@yishaigalatzer yishaigalatzer modified the milestones: 3.4 Beta, 3.4 RTM Feb 25, 2016
@yishaigalatzer yishaigalatzer modified the milestones: 3.4 RTM, 3.4 RTM - Triage Mar 11, 2016
@yishaigalatzer
Copy link
Author

@emgarten when RC is out the door, please start a thread with Stephen Toub

@stunney
Copy link

stunney commented Nov 3, 2021

@mrward can you help light a fire under a Product Manager to get this resolved?

@BrianMcBrayer
Copy link

Agreed. This is a critical feature.

@JonDouglas
Copy link
Contributor

Hi all,

This is the first time i've seen this issue so please bear with me.

As far as I'm aware, this issue is dependent on ProtectedData having cross-platform support. Currently the API has notes of:

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata?view=windowsdesktop-5.0#remarks

and

.NET Core and .NET 5+ only: Calls to the Protect method are supported on Windows operating systems only

The use of this class is in the following code:

https://github.com/nuget/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Configuration/Utility/EncryptionUtility.cs#L15-L39

This API has no plans to support cross-platform cases which means that we(NuGet) will need to use another approach for each platform as noted by the comment author. It is possible that we may be able to adopt a similar implementation that Mono has for these non-windows platforms.

In the meantime, please upvote the original comment on this issue with a 👍 so we can understand the need for this feature. Or even create a new issue specific to the scenario you're interested in since this issue captures many other authentication scenarios in addition.

Thank you.

@psmulovics
Copy link

There are multiple scenarios where you would need this - e.g. connecting to enterprise hosted package manager endpoints where you would need to store password or API key in your nuget.config and you would like to do it encrypted.

As a cascade effect, if the actual underlying protecteddata API would be solved for other scenarios (e.g. for Linux it could have a dependency on libcrypt, or the actual .NET package for a particular Linux distribution could have the distro specific implementation of the relevant crypto DLL), it would enable the use of some pwsh scripts that also fail on the lack of protecteddata support, etc. So fixing the underlying problem would have a positive cascade on a much wider set of the .NET ecosystem.

@aortiz-msft aortiz-msft removed the Priority:3 Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog. label Dec 9, 2021
@aortiz-msft aortiz-msft added the Priority:1 High priority issues that must be resolved in the current sprint. label Dec 9, 2021
@aortiz-msft
Copy link
Contributor

@dtivel - Would you please summarize our current state? Also, if we are blocked on a crypto API, we need to create an issue against the proper team to drive the conversation.

cc @JonDouglas

@aortiz-msft aortiz-msft added the Resolution:BlockedByExternal Progress on this task is blocked by an external issue. When that issue is completed this can proceed label Dec 9, 2021
@tmds
Copy link

tmds commented Dec 15, 2021

We had a discussion about this with Microsoft 2 years back.

Two points came up:

  • The solution can not be as-secure as on Windows.
  • Depending on what you are encrypting, there are different requirements, which means using algorithms, key lengths, ...

The first is something we need to accept. We can make it as secure as it is on Linux. That means the key for encrypting/decrypting is stored under the user folder and accessible only to that user.
(My private ssh key is at ~/.ssh/id_rsa 😉).

The second means framework won't provide ProtectedData because there is no generic solution. NuGet needs to take care of it itself.

This is some code @bartonjs wrote as part of the discussion. It may be usable as a base for NuGet's implementation.

cc @GrabYourPitchforks

@hamarb123
Copy link

I just started getting this warning:

<path to .csproj> : warning NU1803: You are running the 'restore' operation with an 'HTTP' source, 'http://<rest of link>'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.

I'm currently using http on macOS (on localhost, which probably should never be blocked imo since it's not really insecure in the same way per-se) because it doesn't support encrypting the client-cert certificate for some reason. This should be able to be very secure on macOS using keychain, I have no idea why this isn't supported yet other than low priority (which is understandable), but I need to be able to keep using http for localhost until client-cert is implemented on macOS - will disallowing http be delayed until this is implemented on all platforms?

Is there a timeline for this? Will it be properly secure using keychain (if I'm not mistaken keychain will prompt every time access is requested until allow every time is pressed, and then it should allow for the dotnet executable to access its keychain data)?

@zivkan
Copy link
Member

zivkan commented Jul 25, 2022

@hamarb123 this issue (source password encryption, for private/authenticated feeds) is not related to http/https. Please create a new issue for that.

@hamarb123
Copy link

I know it's not related directly. As I said (I think), I'm using a client-cert certificate that runs over https, I'm currently having to use the http version (which doesn't have client-cert or encryption) though because I don't want to store the client-cert certificate password unencrypted. I could probably set up a https proxy that doesn't require client-cert as well, but I don't want to accidentally expose it outside of the machine so I have intentionally used the http one on localhost instead of doing that. Ideally I'd like this feature to be implemented so I don't have to use the http one or find a different solution at all.

@tmds
Copy link

tmds commented Oct 11, 2022 via email

@p10tyr
Copy link

p10tyr commented Dec 6, 2024

Still a problem today. OS's have built-in key chain managers so I wonder why it's not compatible?
We can't be moving developers over to Linux / Mac if we MSFT is forcing them to store plain text.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area:Authentication Platform:Xplat Priority:2 Issues for the current backlog. Product:dotnet.exe Resolution:BlockedByExternal Progress on this task is blocked by an external issue. When that issue is completed this can proceed Tenet:Security Type:Feature
Projects
None yet
Development

Successfully merging a pull request may close this issue.