Merged PR 48312: NuGetPackageDownloader: Only verify signing on windows by default (#47321)

NuGetPackageDownloader: Only verify signing on windows by default (#47321)

Co-authored-by: Noah Gilson <[email protected]>
Co-authored-by: Forgind <[email protected]>

----
#### AI description  (iteration 1)
#### PR Classification
Bug fix to ensure package signing verification is only performed on Windows by default.

#### PR Summary
This pull request modifies the `NuGetPackageDownloader` to verify package signing only on Windows by default, with an option to enable it on other operating systems via an environment variable.
- `src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs`: Added logic to conditionally verify package signatures based on the operating system and environment variable. Introduced error handling to delete the package file if verification fails.
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->

Author: marcpopMSFT

src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs

@@ -38,6 +38,10 @@ internal class NuGetPackageDownloader : INuGetPackageDownloader
         private readonly Dictionary<PackageSource, SourceRepository> _sourceRepositories;
         private readonly bool _shouldUsePackageSourceMapping;
 
+        /// <summary>
+        /// If true, the package downloader will verify the signatures of the packages it downloads.
+        /// Temporarily disabled for macOS and Linux. 
+        /// </summary>
         private readonly bool _verifySignatures;
         private readonly VerbosityOptions _verbosityOptions;
         private readonly string _currentWorkingDirectory;
@@ -65,7 +69,9 @@ public NuGetPackageDownloader(
             _restoreActionConfig = restoreActionConfig ?? new RestoreActionConfig();
             _retryTimer = timer;
             _sourceRepositories = new();
-            _verifySignatures = verifySignatures;
+            // If windows or env variable is set, verify signatures
+            _verifySignatures = verifySignatures && (OperatingSystem.IsWindows() ? true 
+                : bool.TryParse(Environment.GetEnvironmentVariable(NuGetSignatureVerificationEnabler.DotNetNuGetSignatureVerification), out var shouldVerifySignature) ? shouldVerifySignature : OperatingSystem.IsLinux());
 
             _cacheSettings = new SourceCacheContext
             {
@@ -130,8 +136,17 @@ public async Task<string> DownloadPackageAsync(PackageId packageId,
                         packageVersion.ToNormalizedString()));
             }
 
-            await VerifySigning(nupkgPath, repository);
-            
+            // Delete file if verification fails
+            try
+            {
+                await VerifySigning(nupkgPath, repository);
+            }
+            catch (NuGetPackageInstallerException)
+            {
+                File.Delete(nupkgPath);
+                throw;
+            }
+
             return nupkgPath;
         }