This document describes how the integrity of software produced by Duende Software is maintained during the software development life cycle.
Our products are off-the shelf downloadable developer components. They are not managed services or SaaS - nor do we store, have access to, or process any of our customers’ data or their customers’ data.
IdentityServer has two dependencies:
Duende IdentityServer is a certified implementation of OpenID Connect.
NuGet packages published by Duende are cryptographically signed to ensure their authenticity and integrity. Our certificate is signed by Sectigo, which is a widely trusted certificate authority and installed by default in most environments. This means that in many circumstances, the NuGet tools can validate our packages’ signatures automatically.
However, some environments (notably the dotnet sdk docker image which is sometimes used in build pipelines) do not trust the Sectigo certificate. In that case, it might be necessary to add the Sectigo root certificate to NuGet’s code signing certificate bundle. Sectigo’s root certificate is available from Sectigo here.
Here is an example of how to configure NuGet to trust the Sectigo root CA on the dotnet sdk docker image.
First, get the Sectigo certificate and convert it to PEM format:
wget http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c
openssl pkcs7 -inform DER -outform PEM -in SectigoPublicCodeSigningRootR46.p7c -print_certs -out sectigo.pem
Next, you should validate that the thumprint of the certificate is correct. Bootstrapping trust in a certificate chain can be challenging. Fortunately, most desktop environments already trust this certificate, so you can compare the downloaded certificate’s thumprint to the thumbprint of the certificate on a machine that already trusts it. You should verify this independently, but for your convenience, the thumprint is CC:BB:F9:E1:48:5A:F6:3C:E4:7A:BF:8E:9E:64:8C:25:04:FC:31:9D. You can check the thumbprint of the downloaded certificate with openssl:
openssl x509 -in sectigo.pem -fingerprint -sha1 -noout
Then append that PEM to the certificate bundle at /usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem:
cat sectigo.pem >> /usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem
After that, NuGet packages signed by Duende can be successfully verified, even if they are not distributed by nuget.org:
dotnet nuget verify Duende.IdentityServer.7.0.x.nupkg