dotnet NUGet add source command not adding the username and password to the nuget.config package source

Question

I am trying to generate a new Nuget.config file with the private nuget repo configuration however the credentials are not getting added to the newly generated file

dotnet nuget remove source nuget
dotnet nuget add source --username "[email protected]" --password "A35F261kIewr73fnmVE2WBb" --name nuget-remote "https://jfrog.io/artifactory/api/nuget/v3/nuget-virtual" --store-password-in-clear-text

I get Package source with Name: nuget-remote added successfully.

But the generated nuget.config doesnt have the credentials added to it

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <!--To inherit the global NuGet package sources remove the <clear/> line below -->
    <clear />
    <add key="nuget-remote" value="https://jfrog.io/artifactory/api/nuget/v3/nuget-virtual" />
  </packageSources>
</configuration>

Any help?

Answer 1

This is probably a good thing. You don't want credentials to be stored in a repo nuget.config and possibly get commit and therefore get disclosed when it's pushed.

As explained by NuGet's docs on how configuration files work, NuGet reads multiple files and merges then in-memory, to get the "final" configuration. Your question did report any problem with authentication, only that you don't see the credentials where you expected them.

I've complained about this before, but there's such a culture of not making potentially breaking changes that nobody has been interested in changing the behaviour. When any command that modifies nuget.config is run (for example, dotnet nuget add source), it determines which nuget.config "section" (XML element under the root <configuration> element) needs to be modified, then it iterates all the discovered nuget.config files in the current and parent directories to see if any of those nuget.config files already contain that section. If so, that file is modified. Otherwise, the user-profile nuget.config is modified.

What this means is that if you create a nuget.config whose contents are only <configuration />, when you run dotnet nuget add source in the same directory, the nuget.config won't even get the <packageSource element added! Only if the nuget.config file already has <packageSource> then the new source provided on the command line will get added.

Anyway, if you check the nuget.config docs, package source credentials are saved in a section named <packageSourceCredentials>. Therefore, if you look at your user-profile nuget.config, I expect you'll find the credentials. Alternatively, if you manually enter an empty <packageSourceCredentials/> in the current directory nuget.config, I expect that the add source command will then save the creds in the file.

add source also has a --configfile argument, where you can tell it which config file to use, and that will force all config file sections (package source, and credentials) to be saved in that file.

However, as explained at the top, it's a security risk to add secrets (like credentials, especially plain text) to a file under source control, since that dramatically increases the risk that it might be accidentally disclosed.