@@ -39,6 +39,10 @@ internal class NuGetPackageDownloader : INuGetPackageDownloader
3939 private readonly ConcurrentDictionary < PackageSource , SourceRepository > _sourceRepositories ;
4040 private readonly bool _shouldUsePackageSourceMapping ;
4141
42+ /// <summary>
43+ /// If true, the package downloader will verify the signatures of the packages it downloads.
44+ /// Temporarily disabled for macOS and Linux.
45+ /// </summary>
4246 private readonly bool _verifySignatures ;
4347 private readonly VerbosityOptions _verbosityOptions ;
4448 private readonly string _currentWorkingDirectory ;
@@ -66,7 +70,9 @@ public NuGetPackageDownloader(
6670 _restoreActionConfig = restoreActionConfig ?? new RestoreActionConfig ( ) ;
6771 _retryTimer = timer ;
6872 _sourceRepositories = new ( ) ;
69- _verifySignatures = verifySignatures ;
73+ // If windows or env variable is set, verify signatures
74+ _verifySignatures = verifySignatures && ( OperatingSystem . IsWindows ( ) ? true
75+ : bool . TryParse ( Environment . GetEnvironmentVariable ( NuGetSignatureVerificationEnabler . DotNetNuGetSignatureVerification ) , out var shouldVerifySignature ) ? shouldVerifySignature : OperatingSystem . IsLinux ( ) ) ;
7076
7177 _cacheSettings = new SourceCacheContext
7278 {
@@ -127,8 +133,17 @@ public async Task<string> DownloadPackageAsync(PackageId packageId,
127133 packageVersion . ToNormalizedString ( ) ) ) ;
128134 }
129135
130- await VerifySigning ( nupkgPath , repository ) ;
131-
136+ // Delete file if verification fails
137+ try
138+ {
139+ await VerifySigning ( nupkgPath , repository ) ;
140+ }
141+ catch ( NuGetPackageInstallerException )
142+ {
143+ File . Delete ( nupkgPath ) ;
144+ throw ;
145+ }
146+
132147 return nupkgPath ;
133148 }
134149
0 commit comments