Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Author primary signing certificate not trusted when installing package through an Azure DevOps feed #12017

Closed
RVink opened this issue Aug 11, 2022 · 15 comments
Closed

[Bug]: Author primary signing certificate not trusted when installing package through an Azure DevOps feed #12017

RVink opened this issue Aug 11, 2022 · 15 comments
Assignees
@dtivel
Labels
Functionality:Install The install command in VS/nuget.exe Functionality:Signing Partner:AzureDevOps Platform:Docker All NuGet on docker scenarios Priority:1 High priority issues that must be resolved in the current sprint. Product:dotnet.exe Type:Bug

Comments

@RVink
Copy link

RVink commented Aug 11, 2022

NuGet Product Used

dotnet.exe

Product Version

6.0.400

Worked before?

6.0.302

Impact

It bothers me. A fix would be nice

Repro Steps & Context

Reproduction steps

  1. Run an interactive container using image mcr.microsoft.com/dotnet/sdk:6.0-alpine or use the command docker run -it --entrypoint /bin/sh mcr.microsoft.com/dotnet/sdk:6.0-alpine
  2. Add an Azure DevOps feed that has nuget.org as a upstream source
  3. Remove the default nuget.org feed using dotnet nuget remove source nuget.org
  4. Create a console app using dotnet new console
  5. Install the package NServiceBus.Extensions.Hosting version 1.1.0 by using dotnet add package NServiceBus.Extensions.Hosting --version 1.1.0

Result

Installing the package logs the warning warn : NU3018: Package 'NServiceBus.Extensions.Hosting 1.1.0' from source 'https://pkgs.dev.azure.com/rr-wfm/Platform/_packaging/nuget_test_feed/nuget/v3/index.json': The author primary signature's signing certificate is not trusted by the trust provider.

The logs containing this error message can be found here: Logs installing package using Azure DevOps feed.txt

Expected result

I would not expect this error message form occuring as installing the same package directly from nuget.org does not log this error message. See: Logs installing package using nuget.org.txt.

Also comparing the package from both sources using the nuget package explorer does not reveal any differences.

Verbose Logs

No response
@vaceslav
Copy link

I have the same problem.
Workaround is to use previous version of dotnet/sdk: 6.0.302

@dominoFire
Copy link
Contributor

@dtivel @heng-liu Could you please take a look? Is this PR related? NuGet/NuGet.Client#4722

@heng-liu
Copy link
Contributor

Hi @dtivel , fyi, the installed package NServiceBus.Extensions.Hosting 1.1.0 is the same with the one on nuget.org (I checked content hash).
The verify results on Windows:

Signature type: Author
Verifying the author primary signature with certificate:
  Subject Name: CN=NServiceBus Ltd., O=NServiceBus Ltd., L=Haifa, S=North, C=IL
  SHA1 hash: 28C81319C47F3AFCCB075CF5F97A58981972B73F
  SHA256 hash: C8FCEC15717359192D12FAF7A00BF9AE31C892284696DDBDFBCABCD8E82A835F
  Issued by: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 10/31/2017 5:00:00 PM to 12/27/2020 3:59:59 PM
trace:       Subject Name: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
trace:       SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
trace:       SHA256 hash: 582DC1D97A790EF04FE2567B1EC88C26B03BF6E99937CAE6A0B50397AD20BBF8
trace:       Issued by: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:       Valid from: 12/9/2013 4:00:00 PM to 12/9/2023 3:59:59 PM
trace:             Subject Name: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:             SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
trace:             SHA256 hash: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF
trace:             Issued by: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:             Valid from: 11/7/2006 4:00:00 PM to 7/16/2036 4:59:59 PM
Timestamp: 8/11/2020 12:21:49 AM
Verifying author primary signature's timestamp with timestamping service certificate:
  Subject Name: CN=TIMESTAMP-SHA256-2019-10-15, O="DigiCert, Inc.", C=US
  SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5
  SHA256 hash: 481F4373272D98586C5364B6C115E82425675AEBFD9FACF7ADC464FA2FFFB8F0
  Issued by: CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Valid from: 9/30/2019 5:00:00 PM to 10/16/2030 5:00:00 PM
trace:       Subject Name: CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:       SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
trace:       SHA256 hash: CA8D0F4736454AECBEC5DEEC80998C9EBF41D06C728F3C76CCA24151BC62D463
trace:       Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:       Valid from: 1/7/2016 4:00:00 AM to 1/7/2031 4:00:00 AM
trace:             Subject Name: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:             SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
trace:             SHA256 hash: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
trace:             Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:             Valid from: 11/9/2006 4:00:00 PM to 11/9/2031 4:00:00 PM

Signature type: Repository
Service index: https://api.nuget.org/v3/index.json
Owners: ParticularSoftware
Verifying the repository countersignature with certificate:
  Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
  SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
  SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
  Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Valid from: 4/9/2018 5:00:00 PM to 4/14/2021 5:00:00 AM
trace:       Subject Name: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:       SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
trace:       SHA256 hash: 51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862
trace:       Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:       Valid from: 10/22/2013 5:00:00 AM to 10/22/2028 5:00:00 AM
trace:             Subject Name: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:             SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
trace:             SHA256 hash: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
trace:             Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:             Valid from: 11/9/2006 4:00:00 PM to 11/9/2031 4:00:00 PM
Timestamp: 8/12/2020 1:01:30 AM
Verifying repository countersignature's timestamp with timestamping service certificate:
  Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0
  SHA256 hash: C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8
  Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 12/22/2017 4:00:00 PM to 3/22/2029 4:59:59 PM
trace:       Subject Name: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
trace:       SHA1 hash: 6FC9EDB5E00AB64151C1CDFCAC74AD2C7B7E3BE4
trace:       SHA256 hash: F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A
trace:       Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:       Valid from: 1/11/2016 4:00:00 PM to 1/11/2031 3:59:59 PM
trace:             Subject Name: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:             SHA1 hash: 3679CA35668772304D30A5FB873B0FA77BB70D54
trace:             SHA256 hash: 2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C
trace:             Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:             Valid from: 4/1/2008 5:00:00 PM to 12/1/2037 3:59:59 PM

Successfully verified package 'NServiceBus.Extensions.Hosting.1.1.0'.

@dtivel
Copy link
Contributor

dtivel commented Aug 11, 2022

@RVink, where <PackageFilePath> is the file path for the downloaded package, can you please post the output of dotnet nuget verify --all <PackageFilePath> using NServiceBus.Extensions.Hosting.1.1.0.nupkg from https://pkgs.dev.azure.com/rr-wfm/Platform/_packaging/nuget_test_feed/nuget/v3/index.json? I can't access that feed or I'd do it myself.

@dominoFire dominoFire added WaitingForCustomer Applied when a NuGet triage person needs more info from the OP and removed Triage:Untriaged labels Aug 11, 2022
@RVink
Copy link
Author

RVink commented Aug 11, 2022

@dtivel. Sure, see the output below.

~/.nuget/packages # dotnet nuget verify --all ~/.nuget/packages/nservicebus.extensions.hosting/1.1.0/nservicebus.extensions.hosting.1.1.0.nupkg

Verifying NServiceBus.Extensions.Hosting.1.1.0

Signature type: Author
  Subject Name: CN=NServiceBus Ltd., O=NServiceBus Ltd., L=Haifa, S=North, C=IL
  SHA256 hash: C8FCEC15717359192D12FAF7A00BF9AE31C892284696DDBDFBCABCD8E82A835F
  Valid from: 11/01/2017 00:00:00 to 12/27/2020 23:59:59

Signature type: Repository
  Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
  SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
  Valid from: 04/10/2018 00:00:00 to 04/14/2021 12:00:00

@ghost ghost added WaitingForClientTeam Customer replied, needs attention from client team. Do not apply this label manually. and removed WaitingForCustomer Applied when a NuGet triage person needs more info from the OP labels Aug 11, 2022
@dtivel
Copy link
Contributor

dtivel commented Aug 11, 2022

Thanks. Can you add -v diag using .NET 6.0.400 wherever you saw the warning?

@ghost ghost added WaitingForCustomer Applied when a NuGet triage person needs more info from the OP and removed WaitingForClientTeam Customer replied, needs attention from client team. Do not apply this label manually. labels Aug 11, 2022
@RVink
Copy link
Author

RVink commented Aug 11, 2022

Of course

~/.nuget/packages # dotnet nuget verify --all -v diag ~/.nuget/packages/nservicebus.extensions.hosting/1.1.0/nservicebus.extensions.hosting.1.1.0.nupkg
X.509 certificate chain validation will use the fallback certificate bundle at '/usr/share/dotnet/sdk/6.0.400/trustedroots/codesignctl.pem'.

Verifying NServiceBus.Extensions.Hosting.1.1.0
/root/.nuget/packages/nservicebus.extensions.hosting/1.1.0/nservicebus.extensions.hosting.1.1.0.nupkg
Signature Hash Algorithm: SHA256

Signature type: Author
Verifying the author primary signature with certificate:
  Subject Name: CN=NServiceBus Ltd., O=NServiceBus Ltd., L=Haifa, S=North, C=IL
  SHA1 hash: 28C81319C47F3AFCCB075CF5F97A58981972B73F
  SHA256 hash: C8FCEC15717359192D12FAF7A00BF9AE31C892284696DDBDFBCABCD8E82A835F
  Issued by: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 11/01/2017 00:00:00 to 12/27/2020 23:59:59
trace:       Subject Name: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
trace:       SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
trace:       SHA256 hash: 582DC1D97A790EF04FE2567B1EC88C26B03BF6E99937CAE6A0B50397AD20BBF8
trace:       Issued by: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:       Valid from: 12/10/2013 00:00:00 to 12/09/2023 23:59:59
trace:             Subject Name: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:             SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
trace:             SHA256 hash: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF
trace:             Issued by: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:             Valid from: 11/08/2006 00:00:00 to 07/16/2036 23:59:59
debug: The author primary signature's certificate chain validation failed with error(s): UntrustedRoot
Timestamp: 08/11/2020 07:21:49
Verifying author primary signature's timestamp with timestamping service certificate:
  Subject Name: CN=TIMESTAMP-SHA256-2019-10-15, O="DigiCert, Inc.", C=US
  SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5
  SHA256 hash: 481F4373272D98586C5364B6C115E82425675AEBFD9FACF7ADC464FA2FFFB8F0
  Issued by: CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Valid from: 10/01/2019 00:00:00 to 10/17/2030 00:00:00
trace:       Subject Name: CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:       SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
trace:       SHA256 hash: CA8D0F4736454AECBEC5DEEC80998C9EBF41D06C728F3C76CCA24151BC62D463
trace:       Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:       Valid from: 01/07/2016 12:00:00 to 01/07/2031 12:00:00
trace:             Subject Name: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:             SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
trace:             SHA256 hash: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
trace:             Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:             Valid from: 11/10/2006 00:00:00 to 11/10/2031 00:00:00

Signature type: Repository
Service index: https://api.nuget.org/v3/index.json
Owners: ParticularSoftware
Verifying the repository countersignature with certificate:
  Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US  SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
  SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
  Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Valid from: 04/10/2018 00:00:00 to 04/14/2021 12:00:00
trace:       Subject Name: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:       SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
trace:       SHA256 hash: 51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862
trace:       Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:       Valid from: 10/22/2013 12:00:00 to 10/22/2028 12:00:00
trace:             Subject Name: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:             SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
trace:             SHA256 hash: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
trace:             Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace:             Valid from: 11/10/2006 00:00:00 to 11/10/2031 00:00:00
Timestamp: 08/12/2020 08:01:30
Verifying repository countersignature's timestamp with timestamping service certificate:
  Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0
  SHA256 hash: C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8
  Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 12/23/2017 00:00:00 to 03/22/2029 23:59:59
trace:       Subject Name: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
trace:       SHA1 hash: 6FC9EDB5E00AB64151C1CDFCAC74AD2C7B7E3BE4
trace:       SHA256 hash: F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A
trace:       Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:       Valid from: 01/12/2016 00:00:00 to 01/11/2031 23:59:59
trace:             Subject Name: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:             SHA1 hash: 3679CA35668772304D30A5FB873B0FA77BB70D54
trace:             SHA256 hash: 2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C
trace:             Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace:             Valid from: 04/02/2008 00:00:00 to 12/01/2037 23:59:59

Successfully verified package 'NServiceBus.Extensions.Hosting.1.1.0'.

@ghost ghost added WaitingForClientTeam Customer replied, needs attention from client team. Do not apply this label manually. and removed WaitingForCustomer Applied when a NuGet triage person needs more info from the OP labels Aug 11, 2022
@dtivel
Copy link
Contributor

dtivel commented Aug 15, 2022

@RVink, thank you for the repro steps. I have reproduced the behavior and will investigate further.

In the meantime, you can disable signed package verification during restore operations by setting environment variable DOTNET_NUGET_SIGNATURE_VERIFICATION to false. This will enable you to use .NET 6.0.400 SDK without the restore warning. Note that signed package verification is generally disabled by default in .NET 6.0.400 SDK; however, we specifically enabled it in .NET 6.0.400 SDK containers.

Also see dotnet/core#7688 for more information.

CC @richlander as FYI.

@ghost ghost added WaitingForCustomer Applied when a NuGet triage person needs more info from the OP and removed WaitingForClientTeam Customer replied, needs attention from client team. Do not apply this label manually. labels Aug 15, 2022
@mthalman
Copy link

In the meantime, you can disable signed package verification during restore operations by setting environment variable DOTNET_NUGET_SIGNATURE_VERIFICATION to false.

This would look something like the following in your Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
ENV DOTNET_NUGET_SIGNATURE_VERIFICATION=false

That will override this value:

https://github.com/dotnet/dotnet-docker/blob/7cf01d82858fcc3824574fb92580c4151954699a/src/sdk/6.0/alpine3.16/amd64/Dockerfile#L12

@richlander
Copy link

We may choose to remove this ENV from our Dockerfiles. We want to wait on the result of this investigation before making any decisions. Also, we want to learn why we've only had this one report so far. Perhaps the investigation will answer that.

@RVink
Copy link
Author

RVink commented Aug 16, 2022

@dtivel Cool. Thanks for your help :)

@richlander Maybe it is good to know that we had ThreatWarningsAsErrors enabled. This caused our builds to fail the day after the 6.0.400 release. In our case disabling the setting caused the verification warning to be less in our face. For example it doesn't shown in the Azure DevOps build summary. The only way to find it is to actively seach through the build logs and then see that it blends in with the surrouding logs (See below).
image

@ghost ghost added WaitingForClientTeam Customer replied, needs attention from client team. Do not apply this label manually. and removed WaitingForCustomer Applied when a NuGet triage person needs more info from the OP labels Aug 16, 2022
@madcboyum
Copy link

We are facing the same issue, with DevExpress nuget packages. Here is one of many similar errors we got when running docker compose in our Azure DevOps pipeline:

Package 'DevExpress.Charts.Core 22.1.4' from source 'https://pkgs.dev.azure.com/(...)/_packaging/(...)_nuget/nuget/v3/index.json': The author primary signature's signing certificate is not trusted by the trust provider.

The workaround proposed by @dtivel solved our issue for now. Thanks!

This was referenced Aug 16, 2022
Merged
Merged
@aortiz-msft aortiz-msft added Priority:1 High priority issues that must be resolved in the current sprint. and removed WaitingForClientTeam Customer replied, needs attention from client team. Do not apply this label manually. labels Aug 16, 2022
@madcboyum
Copy link

I'd like to confirm that after the fix, the issue is resolved for us. We have re-enabled the signature verification in our Dockerfile, and our builds are completing again without issues.

@dtivel
Copy link
Contributor

dtivel commented Aug 18, 2022

Thanks for confirming, @madcboyum!

There are 2 separate issues here:

.NET containers were updated to disable NuGet signed package verification by default via dotnet/dotnet-docker#4000. You can either explicitly disable signed package verification during restore operations with your current container by setting environment variable to false:

DOTNET_NUGET_SIGNATURE_VERIFICATION=false

...or pull an updated container. With the updated container, you should not be affected by this unless you explicitly opt back in for verification.

I will close this issue as a duplicate of #12033.

@dtivel dtivel closed this as completed Aug 18, 2022
@mthalman
Copy link

Here's the announcement of the rollback in the SDK container images: dotnet/dotnet-docker#4006

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dtivel dtivel

Labels
Functionality:Install The install command in VS/nuget.exe Functionality:Signing Partner:AzureDevOps Platform:Docker All NuGet on docker scenarios Priority:1 High priority issues that must be resolved in the current sprint. Product:dotnet.exe Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@vaceslav @dominoFire @richlander @dtivel @mthalman @RVink @heng-liu @aortiz-msft @madcboyum