diff --git a/src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj b/src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj
index 0e7df2ef7..84b3240a1 100644
--- a/src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj
+++ b/src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj
@@ -107,7 +107,7 @@
- 2.25.0-master-29664
+ 2.25.0-master-30191
diff --git a/src/Validation.PackageSigning.ProcessSignature/SignatureValidator.cs b/src/Validation.PackageSigning.ProcessSignature/SignatureValidator.cs
index f92e61c30..da9a46dfd 100644
--- a/src/Validation.PackageSigning.ProcessSignature/SignatureValidator.cs
+++ b/src/Validation.PackageSigning.ProcessSignature/SignatureValidator.cs
@@ -330,10 +330,10 @@ private async Task PerformFinalValidationAsync(Context
}
// Block packages with any unknown signing certificates.
- var signingFingerprint = context.Signature
+ var signingCertificate = context.Signature
.SignerInfo
- .Certificate
- .ComputeSHA256Thumbprint();
+ .Certificate;
+ var signingFingerprint = signingCertificate.ComputeSHA256Thumbprint();
var packageRegistration = _corePackageService.FindPackageRegistrationById(context.Message.PackageId);
@@ -348,7 +348,7 @@ private async Task PerformFinalValidationAsync(Context
return await RejectAsync(
context,
- ValidationIssue.PackageIsSigned);
+ new UnauthorizedCertificateFailure(signingCertificate.Thumbprint.ToLowerInvariant()));
}
// Call the "verify" API, which does the main logic of signature validation.
diff --git a/tests/Validation.PackageSigning.ProcessSignature.Tests/SignatureValidatorFacts.cs b/tests/Validation.PackageSigning.ProcessSignature.Tests/SignatureValidatorFacts.cs
index a98b02a64..78912f5b3 100644
--- a/tests/Validation.PackageSigning.ProcessSignature.Tests/SignatureValidatorFacts.cs
+++ b/tests/Validation.PackageSigning.ProcessSignature.Tests/SignatureValidatorFacts.cs
@@ -380,8 +380,10 @@ public async Task RejectsSignedPackagesWithUnknownCertificates()
// Assert
Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
- var issue = Assert.Single(result.Issues);
- Assert.Equal(ValidationIssueCode.PackageIsSigned, issue.IssueCode);
+ Assert.Single(result.Issues);
+ var issue = Assert.IsType(result.Issues[0]);
+ Assert.Equal(ValidationIssueCode.PackageIsSignedWithUnauthorizedCertificate, issue.IssueCode);
+ Assert.Equal(TestResources.Leaf2Sha1Thumbprint, issue.Sha1Thumbprint);
}
[Fact]
@@ -514,9 +516,10 @@ public async Task StripsAndRejectsPackagesWithRepositorySignatureWhenPackageIsAu
_cancellationToken);
Validate(result, ValidationStatus.Failed, PackageSigningStatus.Invalid);
- Assert.Equal(1, result.Issues.Count);
- var issue = Assert.IsType(result.Issues[0]);
- Assert.Equal(ValidationIssueCode.PackageIsSigned, issue.IssueCode);
+ Assert.Single(result.Issues);
+ var issue = Assert.IsType(result.Issues[0]);
+ Assert.Equal(ValidationIssueCode.PackageIsSignedWithUnauthorizedCertificate, issue.IssueCode);
+ Assert.Equal(TestResources.Leaf2Sha1Thumbprint, issue.Sha1Thumbprint);
}
[Fact]
diff --git a/tests/Validation.PackageSigning.ProcessSignature.Tests/Support/TestResources.cs b/tests/Validation.PackageSigning.ProcessSignature.Tests/Support/TestResources.cs
index 46f1f6cd8..d45398dca 100644
--- a/tests/Validation.PackageSigning.ProcessSignature.Tests/Support/TestResources.cs
+++ b/tests/Validation.PackageSigning.ProcessSignature.Tests/Support/TestResources.cs
@@ -41,6 +41,11 @@ public static class TestResources
///
public const string Leaf2Thumbprint = "a8cc70dbbd8bc61410231805b690cca7c5a8d07553c1c49b299a6aabaeb7ff9a";
+ ///
+ /// This is the SHA-1 thumbprint of the signing certificate in .
+ ///
+ public const string Leaf2Sha1Thumbprint = "8e1b5dadf388dee204bcfd27b53f00b585fdca07";
+
///
/// This is the SHA-256 thumbprint of the timestamp certificate in .
///