Menu
When I try to run dotnet restore as a RUN instruction of a Dockerfile while building it, I get the following errors:
/src/Anonymized.Tests/Anonymized.Tests.csproj : error NU3028: Package 'Microsoft.Win32.SystemEvents 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/src/Anonymized.sln]
/src/Anonymized.Tests/Anonymized.Tests.csproj : error NU3037: Package 'Microsoft.Win32.SystemEvents 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired. [/src/Anonymized.sln]
It happens for all of my NuGet packages.
If I run it outside the container, it works just fine.
I am using the image mcr.microsoft.com/dotnet/sdk:5.0. Could it be that the Docker image I am running it in has expired certificates somehow?
It worked until a couple of hours back.
Edit: Not sure if it's important information, but this is all running from GitHub Actions, in Linux.
702
Quick solution for Visual Studio usersSelect the Tools > NuGet Package Manager > Package Manager Settings menu command. Set both options under Package Restore. Select OK. Build your project again.
Restore by using MSBuild You can use msbuild -t:restore to restore packages in NuGet 4. x+ and MSBuild 15.1+, which are included with Visual Studio 2017 and higher. This command restores packages in projects that use PackageReference for package references.
nuget restore will ensure all of your NuGet dependencies are downloaded and available to your project. Whereas dotnet restore is a complete restoration of all NuGet dependencies as well as references and project specific tools. Meaning that if you run nuget restore , you are only restoring NuGet packages.
Edit:
Solution 1:
As mentioned on github, if your Dockerfile looks similar to this:
FROM mcr.microsoft.com/dotnet/sdk:5.0 change it to
FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine, orFROM mcr.microsoft.com/dotnet/sdk:5.0-focalSolution 2:
Add this to your Dockerfile before running restore:
RUN curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates
For security reasons you may want to download & verify the certificate and save it to your repo. This is the certificate necessary to validate the timestamp of the packages and it's included by default in alpine and focal, but is missing from debian.
Solution 3:
Wait for Microsoft to fix the problem. They're tracking it on github and Nuget has set it's status to degraded until the problem is solved: https://status.nuget.org/
Original answer:
From what I can tell Docker is right in this case. Download any NuGet package manually, ie: https://www.nuget.org/api/v2/package/System.ComponentModel.Annotations/5.0.0 Open the file and look for the .signature.p7s file and open it with the default program. It shows me that there is a certificate by Microsoft that expired literally today at 1 PM local time.
I have no idea why this isn't a problem for the tooling outside of docker. I know there's a way to completely disable NuGet's verification explained here along with some more information about the validity period: https://docs.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3028 https://docs.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3037
I don't really want to completely disable the checks though. Sadly I also don't know how to proceed in this case
130
At the moment the issue appears to be related to the Debian image.
Switch to an Ubuntu based image instead:
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal
Follow https://github.com/NuGet/Home/issues/10491 for updates.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
