7

When I try to run dotnet restore as a RUN instruction of a Dockerfile while building it, I get the following errors:

/src/Anonymized.Tests/Anonymized.Tests.csproj : error NU3028: Package 'Microsoft.Win32.SystemEvents 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/src/Anonymized.sln]
/src/Anonymized.Tests/Anonymized.Tests.csproj : error NU3037: Package 'Microsoft.Win32.SystemEvents 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired. [/src/Anonymized.sln]

It happens for all of my NuGet packages.

If I run it outside the container, it works just fine.

I am using the image mcr.microsoft.com/dotnet/sdk:5.0. Could it be that the Docker image I am running it in has expired certificates somehow?

It worked until a couple of hours back.

Edit: Not sure if it's important information, but this is all running from GitHub Actions, in Linux.

Improve this question
5
  • 2
    Same problem here. dotnet restore outside docker works just fine. dotnet restore inside docker presents me for every package with exactly the same error you described for every package. Commented Jan 27, 2021 at 14:40
  • 1
    @Jejuni thank you for sharing that with me. Do you have any idea of who to contact from here? Are you also running things within GitHub Actions and Docker? Can you share more on your specific case? Commented Jan 27, 2021 at 14:42
  • 2
    Sadly so far no idea. Happens from my home machine (no proxy, no nothing) as well as company network. I'm running my own pipeline in Azure DevOps and using our own company build server. But when I manually invoke docker-compose build it happens locally as well as build server. Downloading a mentioned package manually in docker and running dotnet nuget verify --all some.package.nupkg also complains about UntrustedRoot. Outside docker the command completes without error. Commented Jan 27, 2021 at 14:48
  • 1
    Alright. Let's keep each other posted if we figure out the root cause, shall we? Thanks once again. Commented Jan 27, 2021 at 14:51
  • 2
    Watch github.com/NuGet/Home/issues/10491 for updates Commented Jan 27, 2021 at 15:12

2 Answers 2

Reset to default
5

Edit:

Solution 1:

As mentioned on github, if your Dockerfile looks similar to this: FROM mcr.microsoft.com/dotnet/sdk:5.0 change it to

  • FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine, or
  • FROM mcr.microsoft.com/dotnet/sdk:5.0-focal

Solution 2:

Add this to your Dockerfile before running restore:

RUN curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates

For security reasons you may want to download & verify the certificate and save it to your repo. This is the certificate necessary to validate the timestamp of the packages and it's included by default in alpine and focal, but is missing from debian.

Solution 3:

Wait for Microsoft to fix the problem. They're tracking it on github and Nuget has set it's status to degraded until the problem is solved: https://status.nuget.org/

Original answer:

From what I can tell Docker is right in this case. Download any NuGet package manually, ie: https://www.nuget.org/api/v2/package/System.ComponentModel.Annotations/5.0.0 Open the file and look for the .signature.p7s file and open it with the default program. It shows me that there is a certificate by Microsoft that expired literally today at 1 PM local time.

Certificates

I have no idea why this isn't a problem for the tooling outside of docker. I know there's a way to completely disable NuGet's verification explained here along with some more information about the validity period: https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3028 https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3037

I don't really want to completely disable the checks though. Sadly I also don't know how to proceed in this case

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Watch github.com/NuGet/Home/issues/10491 for updates
3

At the moment the issue appears to be related to the Debian image.

Switch to an Ubuntu based image instead:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal

Follow https://github.com/NuGet/Home/issues/10491 for updates.

Improve this answer

1 Comment

Was about to post this. Can confirm that solved my problem for now. Thankfully we're using yaml pipelines and changing out pipeline/Dockerfile back and forth is hassle free, so we'll be chaning to focal until MS sort their certificate / image out and then we might switch back

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.