After looking into Aspire polyglot doesn't work with DOTNET_NUGET_SIGNATURE_VERIFICATION=true on Linux (dotnet/aspire#15222), I found out that we aren't validating NuGet signatures during aspire restore. In dotnet restore, this is enabled by the .NET SDK - see https://github.com/dotnet/sdk/blob/a6af77909c46799080943ee15c028462867c60f5/src/Cli/dotnet/NuGetSignatureVerificationEnabler.cs#L13-L41.
Since we aren't setting this env var, NuGet isn't doing signature validation.
We should be doing this validation. But before we can enable it, we will need to address #15222.
After looking into Aspire polyglot doesn't work with DOTNET_NUGET_SIGNATURE_VERIFICATION=true on Linux (dotnet/aspire#15222), I found out that we aren't validating NuGet signatures during
aspire restore. Indotnet restore, this is enabled by the .NET SDK - see https://github.com/dotnet/sdk/blob/a6af77909c46799080943ee15c028462867c60f5/src/Cli/dotnet/NuGetSignatureVerificationEnabler.cs#L13-L41.Since we aren't setting this env var, NuGet isn't doing signature validation.
We should be doing this validation. But before we can enable it, we will need to address #15222.