Skip to content

Require Licence Acceptance when installing tools #48501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Require Licence Acceptance when installing tools #48501

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
75a382a
Require Licence Acceptance when installing tools
edvilme Apr 16, 2025
559bdd6
Update exception type
edvilme Apr 16, 2025
0fb2ca3
Correct data type
edvilme Apr 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion src/Cli/dotnet/ToolPackage/ToolPackageDownloader.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

using System.Reflection;
using Microsoft.DotNet.Cli.CommandFactory.CommandResolution;
using Microsoft.DotNet.Cli.Extensions;
using Microsoft.DotNet.Cli.NuGetPackageDownloader;
using Microsoft.DotNet.Cli.Utils;
Expand Down Expand Up @@ -292,7 +293,20 @@ private static async Task<NuGetVersion> DownloadAndExtractPackage(
using (FileStream packageStream = File.OpenRead(packagePath))
{
PackageArchiveReader reader = new(packageStream);
version = new NuspecReader(reader.GetNuspec()).GetVersion();
NuspecReader nuspecReader = new NuspecReader(reader.GetNuspec());
version = nuspecReader.GetVersion();
bool requireLicenseAcceptance = nuspecReader.GetRequireLicenseAcceptance();
// If the package requires license acceptance, we need to ask the user to accept it
// TODO: Find a better way to handle this
if (requireLicenseAcceptance)
{
Console.WriteLine($"The package {packageId} requires license acceptance. Please accept the license to continue. [y]");
if (!Console.ReadKey().Key.Equals(ConsoleKey.Y))
Comment on lines +303 to +304
Copy link
Contributor

@KalleOlaviNiemitalo KalleOlaviNiemitalo Apr 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If not --interactive, then it should not prompt; instead it should just fail unless there is evidence that the license has already been accepted.

Could have an --accept-license option for noninteractive scenarios. This option could take the license expression or a hash of the license text (shown in interactive mode) as an argument, and verify that the license of the package being installed matches what has been preapproved.

$ dotnet tool install --local package@version
The package package@version has the following license:
[license text goes here]
Do you accept this license [y/n]? y
In future installs, you can use --accept-license=sha256:a9cc4894e5f879b14d79c80e5355dfda5c5f292a2ef684bc596902c6f653d232 to indicate acceptance of this license.

or when there is a license expression:

$ dotnet tool install --local package@version
The package package@version has the "AGPL-3.0-or-later" license:
https://licenses.nuget.org/AGPL-3.0-or-later
Do you accept this license [y/n]? y
In future installs, you can use --accept-license=AGPL-3.0-or-later to indicate acceptance of this license.

although, if the license expression has spaces or parentheses in it, then it would have to be quoted in the --accept-license option.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think .dotnet tool install --local should automatically record anywhere in ~/.dotnet that a specific license has been accepted. The acceptance may be based on criteria that do not apply to all projects. For example, if the license allows noncommercial use only, then a user could use the package in a noncommercial project, but would want to be prompted again before using it in a commercial project.

It would be okay to let the user add a list of approved licenses to NuGet.Config as that can be scoped by project.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noninteractive mode:

$ dotnet tool install --local package@version
The package package@version requires acceptance of the following license:
[license text goes here]
If you accept this license, add the --accept-license=sha256:a9cc4894e5f879b14d79c80e5355dfda5c5f292a2ef684bc596902c6f653d232 option.

{
throw new ToolPackageException($"User did not accept the license for package {packageId}.");
}
}


var packageHash = Convert.ToBase64String(new CryptoHashProvider("SHA512").CalculateHash(reader.GetNuspec()));
var hashPath = new VersionFolderPathResolver(packagesRootPath).GetHashPath(packageId.ToString(), version);
Expand Down
Loading