Reputation: 15896
When I try to run dotnet restore
as a RUN
instruction of a Dockerfile
while building it, I get the following errors:
/src/Anonymized.Tests/Anonymized.Tests.csproj : error NU3028: Package 'Microsoft.Win32.SystemEvents 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/src/Anonymized.sln]
/src/Anonymized.Tests/Anonymized.Tests.csproj : error NU3037: Package 'Microsoft.Win32.SystemEvents 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired. [/src/Anonymized.sln]
It happens for all of my NuGet packages.
If I run it outside the container, it works just fine.
I am using the image mcr.microsoft.com/dotnet/sdk:5.0
. Could it be that the Docker image I am running it in has expired certificates somehow?
It worked until a couple of hours back.
Edit: Not sure if it's important information, but this is all running from GitHub Actions, in Linux.
Upvotes: 7
Views: 5578
Reputation: 1104
Edit:
Solution 1:
As mentioned on github, if your Dockerfile looks similar to this:
FROM mcr.microsoft.com/dotnet/sdk:5.0
change it to
FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine
, orFROM mcr.microsoft.com/dotnet/sdk:5.0-focal
Solution 2:
Add this to your Dockerfile before running restore:
RUN curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates
For security reasons you may want to download & verify the certificate and save it to your repo. This is the certificate necessary to validate the timestamp of the packages and it's included by default in alpine and focal, but is missing from debian.
Solution 3:
Wait for Microsoft to fix the problem. They're tracking it on github and Nuget has set it's status to degraded until the problem is solved: https://status.nuget.org/
Original answer:
From what I can tell Docker is right in this case. Download any NuGet package manually, ie: https://www.nuget.org/api/v2/package/System.ComponentModel.Annotations/5.0.0 Open the file and look for the .signature.p7s file and open it with the default program. It shows me that there is a certificate by Microsoft that expired literally today at 1 PM local time.
I have no idea why this isn't a problem for the tooling outside of docker. I know there's a way to completely disable NuGet's verification explained here along with some more information about the validity period: https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3028 https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3037
I don't really want to completely disable the checks though. Sadly I also don't know how to proceed in this case
Upvotes: 5
Reputation: 100701
At the moment the issue appears to be related to the Debian image.
Switch to an Ubuntu based image instead:
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal
Follow https://github.com/NuGet/Home/issues/10491 for updates.
Upvotes: 2