NuGet restore stopped working inside Docker Container

When I try to run dotnet restore as a RUN instruction of a Dockerfile while building it, I get the following errors:

/src/Anonymized.Tests/Anonymized.Tests.csproj : error NU3028: Package 'Microsoft.Win32.SystemEvents 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/src/Anonymized.sln]
/src/Anonymized.Tests/Anonymized.Tests.csproj : error NU3037: Package 'Microsoft.Win32.SystemEvents 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired. [/src/Anonymized.sln]

It happens for all of my NuGet packages.

If I run it outside the container, it works just fine.

I am using the image mcr.microsoft.com/dotnet/sdk:5.0. Could it be that the Docker image I am running it in has expired certificates somehow?

It worked until a couple of hours back.

Edit: Not sure if it's important information, but this is all running from GitHub Actions, in Linux.

Upvotes: 7

Views: 5578

Answers (2)

Jejuni
Jejuni

Reputation: 1104

Edit:

Solution 1:

As mentioned on github, if your Dockerfile looks similar to this: FROM mcr.microsoft.com/dotnet/sdk:5.0 change it to

  • FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine, or
  • FROM mcr.microsoft.com/dotnet/sdk:5.0-focal

Solution 2:

Add this to your Dockerfile before running restore:

RUN curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates

For security reasons you may want to download & verify the certificate and save it to your repo. This is the certificate necessary to validate the timestamp of the packages and it's included by default in alpine and focal, but is missing from debian.

Solution 3:

Wait for Microsoft to fix the problem. They're tracking it on github and Nuget has set it's status to degraded until the problem is solved: https://status.nuget.org/

Original answer:

From what I can tell Docker is right in this case. Download any NuGet package manually, ie: https://www.nuget.org/api/v2/package/System.ComponentModel.Annotations/5.0.0 Open the file and look for the .signature.p7s file and open it with the default program. It shows me that there is a certificate by Microsoft that expired literally today at 1 PM local time.

Certificates

I have no idea why this isn't a problem for the tooling outside of docker. I know there's a way to completely disable NuGet's verification explained here along with some more information about the validity period: https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3028 https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3037

I don't really want to completely disable the checks though. Sadly I also don't know how to proceed in this case

Upvotes: 5

Martin Ullrich
Martin Ullrich

Reputation: 100701

At the moment the issue appears to be related to the Debian image.

Switch to an Ubuntu based image instead:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal 

Follow https://github.com/NuGet/Home/issues/10491 for updates.

Upvotes: 2

Related Questions