Check signatures on NuGet packages
The weak link in deployment with Octopus is the NuGet repository - a bad guy could upload a package that leaks your sensitive data, and Octopus would deploy it without realizing.
A solution would be:
- You sign your NuGet packages with a private key X509 certificate (NuGet uses System.IO.Packaging which supports signatures)
- In Octopus, you provide a list of thumbprints of certificates that you trust (e.g., you only trust NuGet packages signed by yourself)
- When Octopus downloads a package, or when Tentacles download packages, Octopus verifies that they have been signed by a trusted certificate
This should be an opt-in feature, i.e., we can trust unsigned packages by default, or only packages signed by a given certificate.
NuGet is introducing signed packages: https://github.com/NuGet/Home/wiki/Author-Package-Signing
Jesse Houwing commented
We'd love this feature.
Using System.IO.Packaging would be one of the ways to sign the packages. Also, once the NuGet package signing features are finalized, it would be nice when these would be supported:
In our situation where we consume packages provided by an external source (Nuget feed), we'd like to verify that any package sources from these feeds is actually also signed by a trusted party before we install it.
In the banking environment I'm currently working another common way to validate packages is through PGP/SSHkey signing of packages, similar to how a number of Unix package managers handle package signatures:
These solutions are not ideal in a public repo setting, but on private repo's with limited sets of keys, it works really well.