Skip to content

Commit 69a90b4

Browse files
authored
Merge main to nightly for April 2026 .NET releases (#7149)
2 parents 80af290 + 4206fbe commit 69a90b4

429 files changed

Lines changed: 1928 additions & 1760 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

README.aspnet.md

Lines changed: 158 additions & 158 deletions
Large diffs are not rendered by default.

README.runtime-deps.md

Lines changed: 84 additions & 84 deletions
Large diffs are not rendered by default.

README.runtime.md

Lines changed: 100 additions & 100 deletions
Large diffs are not rendered by default.

README.sdk.md

Lines changed: 59 additions & 59 deletions
Large diffs are not rendered by default.

documentation/image-signatures.md

Lines changed: 160 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,160 @@
1+
# .NET Container Image Signatures
2+
3+
.NET container images are signed using [Notary Project](https://notaryproject.dev/) signatures.
4+
5+
## Inspect signature artifacts
6+
7+
Signatures are stored as [OCI referrer artifacts](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers)
8+
attached to the signed image in the registry. This structure is visible when
9+
using the [ORAS CLI] to list referrer artifacts associated with an image:
10+
11+
```console
12+
> oras discover mcr.microsoft.com/dotnet/sdk:10.0
13+
mcr.microsoft.com/dotnet/sdk@sha256:<digest>
14+
└── application/vnd.cncf.notary.signature
15+
└── sha256:<signature-digest>
16+
└── [annotations]
17+
├── org.opencontainers.image.created: "2026-04-10T20:33:39.8412151Z"
18+
└── io.cncf.notary.x509chain.thumbprint#S256: '["84813e9c...","9b1894f2...","23ffe2b8..."]'
19+
```
20+
21+
In this example, `mcr.microsoft.com/dotnet/sdk:10.0` has a single referrer
22+
artifact with the `application/vnd.cncf.notary.signature` media type. The
23+
[Notation CLI] reveals more detailed information about the attached signature
24+
artifact:
25+
26+
```console
27+
> notation inspect mcr.microsoft.com/dotnet/sdk@sha256:<digest>
28+
mcr.microsoft.com/dotnet/sdk@sha256:<digest>
29+
└── application/vnd.cncf.notary.signature
30+
└── sha256:<signature-digest>
31+
├── media type: application/cose
32+
├── signature algorithm: RSASSA-PSS-SHA-384
33+
├── signed attributes
34+
│ ├── signingScheme: notary.x509
35+
│ └── signingTime: Fri Apr 10 13:31:25 2026
36+
├── unsigned attributes
37+
│ └── timestamp signature
38+
│ └── timestamp: [Fri Apr 10 20:31:25 2026, Fri Apr 10 20:31:26 2026]
39+
├── certificates
40+
│ ├── SHA256 fingerprint: 84813e9c82fe8abd08e0e6fa21b71b25b256d2c9fec38e8216e8bf48543008c9
41+
│ │ ├── issued to: CN=Microsoft SCD Products RSA Signing,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US
42+
│ │ ├── issued by: CN=Microsoft SCD Products RSA CA,O=Microsoft Corporation,C=US
43+
│ │ └── expiry: Tue Nov 10 19:27:20 2026
44+
│ ├── SHA256 fingerprint: 9b1894f223d934cbd6575af3c6e1f6096b9221a7da132185f5a5cdc92235b5dc
45+
│ │ ├── issued to: CN=Microsoft SCD Products RSA CA,O=Microsoft Corporation,C=US
46+
│ │ ├── issued by: CN=Microsoft Supply Chain RSA Root CA 2022,O=Microsoft Corporation,C=US
47+
│ │ └── expiry: Mon Feb 17 00:55:23 2042
48+
│ └── SHA256 fingerprint: 23ffe2b8bdb9a1711515d4cffda04bc7f793d513c76c243f1020507d8669b7db
49+
│ ├── issued to: CN=Microsoft Supply Chain RSA Root CA 2022,O=Microsoft Corporation,C=US
50+
│ ├── issued by: CN=Microsoft Supply Chain RSA Root CA 2022,O=Microsoft Corporation,C=US
51+
│ └── expiry: Sun Feb 17 00:21:09 2047
52+
└── signed artifact
53+
├── media type: application/vnd.docker.distribution.manifest.list.v2+json
54+
├── digest: sha256:<digest>
55+
└── size: 1079
56+
```
57+
58+
## Verify signatures using Notation CLI
59+
60+
### Prerequisites
61+
62+
- [Notation CLI]. This guide was written using version `1.3.2`.
63+
- (Optional) [ORAS CLI] or [Docker CLI], for resolving image digests.
64+
65+
### Download the root CA certificates
66+
67+
.NET container image signatures use the following certificates:
68+
69+
- Signature Root Certificate: [Microsoft Supply Chain RSA Root CA 2022](https://www.microsoft.com/pkiops/certs/Microsoft%20Supply%20Chain%20RSA%20Root%20CA%202022.crt)
70+
- Timestamping Authority (TSA) Root Certificate: [Microsoft Root Certificate Authority 2010](http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt)
71+
72+
### Set up Trust Store and Trust Policy
73+
74+
See the Notary Project's [Trust Store and Trust Policy Specification](https://github.com/notaryproject/specifications/blob/d4b62b949228911bd5e62da4f5f8dd38682d293a/specs/trust-store-trust-policy.md).
75+
76+
First, add both signatures listed above to a new `notation` trust store:
77+
78+
```console
79+
notation certificate add --type ca --store msft-supplychain "Microsoft Supply Chain RSA Root CA 2022.crt"
80+
notation certificate add --type tsa --store msft-supplychain "MicRooCerAut_2010-06-23.crt"
81+
```
82+
83+
Next, set up a trust policy according to the [Trust Policy](https://github.com/notaryproject/specifications/blob/d4b62b949228911bd5e62da4f5f8dd38682d293a/specs/trust-store-trust-policy.md#trust-policy)
84+
section of the Notation spec. Here is an **example** trust policy configuration
85+
for verifying .NET images:
86+
87+
```json
88+
{
89+
"version": "1.0",
90+
"trustPolicies": [
91+
{
92+
"name": "supplychain",
93+
"registryScopes": [
94+
"mcr.microsoft.com/dotnet/aspire-dashboard",
95+
"mcr.microsoft.com/dotnet/aspnet",
96+
"mcr.microsoft.com/dotnet/monitor",
97+
"mcr.microsoft.com/dotnet/monitor/base",
98+
"mcr.microsoft.com/dotnet/runtime",
99+
"mcr.microsoft.com/dotnet/runtime-deps",
100+
"mcr.microsoft.com/dotnet/sdk"
101+
],
102+
"signatureVerification": { "level": "strict" },
103+
"trustStores": ["ca:msft-supplychain", "tsa:msft-supplychain"],
104+
"trustedIdentities": [
105+
"x509.subject: CN=Microsoft SCD Products RSA Signing,O=Microsoft Corporation,L=Redmond,S=Washington,C=US"
106+
]
107+
}
108+
]
109+
}
110+
```
111+
112+
> [!CAUTION]
113+
> A misconfigured trust policy can cause signature verification to silently
114+
> pass without logging errors for invalid or missing signatures. Read the trust
115+
> policy specification carefully.
116+
117+
Import the trust policy configuration using `notation`:
118+
119+
```console
120+
notation policy import trustpolicy.json
121+
```
122+
123+
### Resolve multi-platform image digests
124+
125+
For multi-platform tags, it is important to verify signatures of both the
126+
multi-platform and the platform-specific manifests. See [supported tags](supported-tags.md)
127+
for more details on supported single-platform and multi-platform tags.
128+
129+
Use `oras manifest fetch $image` or `docker buildx imagetools inspect $image`
130+
to determine whether an image is multi-platform or single-platform.
131+
Multi-platform images have one of the following values for `mediaType`:
132+
133+
- `application/vnd.docker.distribution.manifest.list.v2+json`
134+
- `application/vnd.oci.image.index.v1+json`
135+
136+
For multi-platform images, all of the platform-specific image digests will be
137+
listed under the `manifests` property. Each multi-platform image and each of
138+
its constituent single-platform images has its own unique signature artifact.
139+
140+
### Verify image signature
141+
142+
> [!IMPORTANT]
143+
> Always use full image digests when verifying signatures, since image tags are
144+
> mutable.
145+
146+
To verify the signature of an image digest, run:
147+
148+
```console
149+
> notation verify mcr.microsoft.com/dotnet/sdk@sha256:<digest>
150+
Successfully verified signature for mcr.microsoft.com/dotnet/sdk@sha256:<digest>
151+
```
152+
153+
## Useful links
154+
155+
- [Notary Project Overview](https://notaryproject.dev/docs/notary-project-overview/)
156+
- [Notary Project Specifications](https://github.com/notaryproject/specifications)
157+
158+
[Docker CLI]: https://docs.docker.com/reference/cli/docker/
159+
[Notation CLI]: https://github.com/notaryproject/notation
160+
[ORAS CLI]: https://oras.land/docs/installation

eng/pipelines/dotnet-core.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ extends:
3939
stages:
4040
- template: /eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml@self
4141
parameters:
42+
enableSigning: true
4243
sourceBuildPipelineRunId: ${{ parameters.sourceBuildPipelineRunId }}
4344
stagesTemplate: /eng/pipelines/stages/build-test-publish-repo.yml@self
4445
stagesTemplateParameters:

eng/pipelines/release-staging-official.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@ extends:
5050
stages:
5151
- template: /eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml@self
5252
parameters:
53+
enableSigning: true
5354
sourceBuildPipelineRunId: ${{ parameters.sourceBuildPipelineRunId }}
5455
stagesTemplate: /eng/pipelines/stages/build-and-test.yml@self
5556
stagesTemplateParameters:

manifest.versions.json

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -28,16 +28,16 @@
2828
"aspire-dashboard|base-url|main": "$(base-url|public|preview|nightly)",
2929
"aspire-dashboard|base-url|nightly": "$(base-url|public|preview|nightly)",
3030

31-
"aspnet|8.0|build-version": "8.0.25",
31+
"aspnet|8.0|build-version": "8.0.26",
3232
"aspnet-composite|8.0|build-version": "$(aspnet|8.0|build-version)",
3333

34-
"aspnet|9.0|build-version": "9.0.14",
34+
"aspnet|9.0|build-version": "9.0.15",
3535
"aspnet-composite|9.0|build-version": "$(aspnet|9.0|build-version)",
3636

37-
"aspnet|10.0|build-version": "10.0.5",
37+
"aspnet|10.0|build-version": "10.0.6",
3838
"aspnet-composite|10.0|build-version": "$(aspnet|10.0|build-version)",
3939

40-
"aspnet|11.0|build-version": "11.0.0-preview.3.26203.107",
40+
"aspnet|11.0|build-version": "11.0.0-preview.3.26207.106",
4141
"aspnet-composite|11.0|build-version": "$(aspnet|11.0|build-version)",
4242

4343
"chisel|latest|build-version": "v1.4.0",
@@ -74,7 +74,7 @@
7474
"chisel|8.0|arm|sha384": "$(chisel|latest|arm|sha384)",
7575
"chisel|8.0|arm64|sha384": "$(chisel|latest|arm64|sha384)",
7676

77-
"dotnet|8.0|product-version": "8.0.25",
77+
"dotnet|8.0|product-version": "8.0.26",
7878
"dotnet|8.0|fixed-tag": "$(dotnet|8.0|product-version)",
7979
"dotnet|8.0|minor-tag": "8.0",
8080
"dotnet|8.0|base-url|main": "$(base-url|public|maintenance|main)",
@@ -83,7 +83,7 @@
8383
"dotnet|8.0|base-url|checksums|nightly": "$(dotnet|8.0|base-url|nightly)",
8484
"dotnet|8.0|aggregate-checksums": "/checksums/$(dotnet|8.0|product-version)-sha.txt",
8585

86-
"dotnet|9.0|product-version": "9.0.14",
86+
"dotnet|9.0|product-version": "9.0.15",
8787
"dotnet|9.0|fixed-tag": "$(dotnet|9.0|product-version)",
8888
"dotnet|9.0|minor-tag": "9.0",
8989
"dotnet|9.0|base-url|main": "$(base-url|public|maintenance|main)",
@@ -92,7 +92,7 @@
9292
"dotnet|9.0|base-url|checksums|nightly": "$(dotnet|9.0|base-url|nightly)",
9393
"dotnet|9.0|aggregate-checksums": "/checksums/$(dotnet|9.0|product-version)-sha.txt",
9494

95-
"dotnet|10.0|product-version": "10.0.5",
95+
"dotnet|10.0|product-version": "10.0.6",
9696
"dotnet|10.0|fixed-tag": "$(dotnet|10.0|product-version)",
9797
"dotnet|10.0|minor-tag": "10.0",
9898
"dotnet|10.0|base-url|main": "$(base-url|public|maintenance|main)",
@@ -225,39 +225,39 @@
225225
"rocks-toolbox|10.0|version": "$(rocks-toolbox|latest|version)",
226226
"rocks-toolbox|11.0|version": "$(rocks-toolbox|latest|version)",
227227

228-
"runtime|8.0|build-version": "8.0.25",
229-
"runtime|9.0|build-version": "9.0.14",
230-
"runtime|10.0|build-version": "10.0.5",
231-
"runtime|11.0|build-version": "11.0.0-preview.3.26203.107",
228+
"runtime|8.0|build-version": "8.0.26",
229+
"runtime|9.0|build-version": "9.0.15",
230+
"runtime|10.0|build-version": "10.0.6",
231+
"runtime|11.0|build-version": "11.0.0-preview.3.26207.106",
232232

233-
"sdk|8.0|build-version": "8.0.419",
234-
"sdk|8.0|product-version": "8.0.419",
233+
"sdk|8.0|build-version": "8.0.420",
234+
"sdk|8.0|product-version": "8.0.420",
235235
"sdk|8.0|base-url|main": "$(dotnet|8.0|base-url|main)",
236236
"sdk|8.0|base-url|nightly": "$(dotnet|8.0|base-url|nightly)",
237237
"sdk|8.0|base-url|checksums|main": "$(sdk|8.0|base-url|main)",
238238
"sdk|8.0|base-url|checksums|nightly": "$(sdk|8.0|base-url|nightly)",
239239
"sdk|8.0|fixed-tag": "$(sdk|8.0|product-version)",
240240
"sdk|8.0|minor-tag": "$(dotnet|8.0|minor-tag)",
241241

242-
"sdk|9.0|build-version": "9.0.312",
243-
"sdk|9.0|product-version": "9.0.312",
242+
"sdk|9.0|build-version": "9.0.313",
243+
"sdk|9.0|product-version": "9.0.313",
244244
"sdk|9.0|base-url|main": "$(dotnet|9.0|base-url|main)",
245245
"sdk|9.0|base-url|nightly": "$(dotnet|9.0|base-url|nightly)",
246246
"sdk|9.0|base-url|checksums|main": "$(sdk|9.0|base-url|main)",
247247
"sdk|9.0|base-url|checksums|nightly": "$(sdk|9.0|base-url|nightly)",
248248
"sdk|9.0|fixed-tag": "$(sdk|9.0|product-version)",
249249
"sdk|9.0|minor-tag": "$(dotnet|9.0|minor-tag)",
250250

251-
"sdk|10.0|build-version": "10.0.201",
252-
"sdk|10.0|product-version": "10.0.201",
251+
"sdk|10.0|build-version": "10.0.202",
252+
"sdk|10.0|product-version": "10.0.202",
253253
"sdk|10.0|base-url|main": "$(dotnet|10.0|base-url|main)",
254254
"sdk|10.0|base-url|nightly": "$(dotnet|10.0|base-url|nightly)",
255255
"sdk|10.0|base-url|checksums|main": "$(dotnet|10.0|base-url|checksums|main)",
256256
"sdk|10.0|base-url|checksums|nightly": "$(dotnet|10.0|base-url|checksums|nightly)",
257257
"sdk|10.0|fixed-tag": "$(sdk|10.0|product-version)",
258258
"sdk|10.0|minor-tag": "$(dotnet|10.0|minor-tag)",
259259

260-
"sdk|11.0|build-version": "11.0.100-preview.3.26203.107",
260+
"sdk|11.0|build-version": "11.0.100-preview.3.26207.106",
261261
"sdk|11.0|product-version": "11.0.100-preview.3",
262262
"sdk|11.0|base-url|main": "$(dotnet|11.0|base-url|main)",
263263
"sdk|11.0|base-url|nightly": "$(dotnet|11.0|base-url|nightly)",

src/aspire-dashboard/amd64/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ RUN dotnet_aspire_version=13.3.0-preview.1.26174.7 \
1919

2020

2121
# Aspire Dashboard image
22-
FROM $REPO:8.0.25-azurelinux3.0-distroless-extra-amd64
22+
FROM $REPO:8.0.26-azurelinux3.0-distroless-extra-amd64
2323

2424
WORKDIR /app
2525
COPY --from=installer /app .

src/aspire-dashboard/arm64v8/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ RUN dotnet_aspire_version=13.3.0-preview.1.26174.7 \
1919

2020

2121
# Aspire Dashboard image
22-
FROM $REPO:8.0.25-azurelinux3.0-distroless-extra-arm64v8
22+
FROM $REPO:8.0.26-azurelinux3.0-distroless-extra-arm64v8
2323

2424
WORKDIR /app
2525
COPY --from=installer /app .

0 commit comments

Comments
 (0)