-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Installing signed package in offline environment #7008
Comments
@pascalberger I'm not clear about the issue? were you not able to install your signed package without accessing to nuget.org? or taking 4 mins to install this package, is the main issue? And also, tell us how much time |
@jainaashish The package actually installs sucessfully, but it takes 4 minutes without access to nuget.org. |
A
I canceled after 3h |
@jainaashish can we get confirmation that the installation of a signed nuget package, in an offline scenario, is something that is going to be supported long term? And also, confirmation that we agree that 4 minutes is far too long for this to take. At the moment, not that many packages are signed, but as this rolls out, and with the upcoming repository signing, more are more packages are going to be signed, and offline builds are going to become very slow. |
@jainaashish Additional questions from my side are:
|
@gep13 offline scenarios are definitely something we are planning to support and we are actively working on them as well. @pascalberger package signing is independent of the feed. Any feed can host author signed packages and also any feed can decide to implement the required features to support repository signing. We are currently working on adding support for repository signing on nuget.org, once that support is fully added, every package will be signed. As for your third point, verification for author signed packages is done independently of the source they are gotten from. The only network calls that are needed are to check for revocation, and this are made directly to revocation services. In the case where this information is unavailable it should show a warning (which I'm actually curious about why you didn't see it). Can you confirm you only see this delay when restoring offline? Also, does nuget verify also hangs with other packages or just with that one? In the case is that one, can you provide a copy of the package so I can try to repro the issue and find the reason? Thanks! |
@pascalberger I downloaded Cake v0.27.2 from nuget.org (https://www.nuget.org/packages/Cake/0.27.2) and try repro your scenario locally with no luck. I ran
I also ran
|
Did you clear your intermediates too? There could be AIA calls to intermediates that may be having issues. |
@PatoBeltran Which nuget. exe version did you try with? I used 4.6.2 |
While feeds can host signed packages, how is verification supposed to work there? Does every feed need to implement something so that it's signed packages can be verified?
The warning should also be shown for
The package installs fine with the same NuGet version from another PC / network which has internet access.
Can you advise on other packages which are signed?
You can download from here |
@pascalberger I tried with
Feeds don't need to implement anything to have signed packages and for clients to verify those packages. If the feeds want to implement repository signing, then they have to implement the necesary features to let the clients know that the packages that come from that feed should have a specific signature. You can read more about package signing here
It should be shown on both.
Does it repro in this other machine when it is disconnected from the network? are you running the same nuget version on both? Do both machines have similar environments? Are you running on mono or any platform different than windows?
Try this one |
Hey @pascalberger, is this still an issue? Have you tried the suggestions I wrote in my previous comment? This issue has not been active for two weeks, if this is no longer an issue I will close it soon. |
@PatoBeltran Yes, sorry this is still an issue, but I hadn't found the time yet to analyze it further. For some of your questions:
I can reproduce in one of our network were we have a bunch of blades running VMs from different hosts.
Yes, everything is on 4.6.2
Yes, same versions of tools. But one is the build environment the other a development environment (e.g. Visual Studio Build Tools vs full Visual Studio).
No, offline environment is Windows Server 2012 r2, the other where it works is Windows 10 |
Good, make sure everything is |
Unfortunately I cannot test with the |
Any Microsoft owned package should be signed. You can easily search in nuget.org for a package that follows any of your internal server requirements and to be sure it is signed just run |
@PatoBeltran I can reproduce it also with other signed packages:
|
Okay, so with it seems like the issue is not on your package. Since I still have not been able to reproduce it, I'm inclined to think it might be something specific about your environment that it is making it slow. To understand what it is, could you try a couple of things?
|
I can reproduce this behavior on all machines in a certain (offline) network (or better said using different images on different VM hosts).
There's no CPU consumed from NuGet.exe while running I might find some time later to do some deeper analysis. |
I tried again the
|
This part is very concerning to me, and will no doubt causes lots of problems to people running in an isolated environment. |
@PatoBeltran Here's a mini dump file taken while it was "hanging" with the following output on the console:
|
I also tried with https://dist.nuget.org/win-x86-commandline/v4.8.0-preview3/nuget.exe, which has the same behavior as 4.6.2 which I'm currently using |
@pascalberger the log messages you saw when you run @gep13 the message |
Yes, I believe we are on the same page in terms of what the issue is, however, my question is the same... If I want to do a build on a machine that has no outside network connection, i.e. I have pulled all the nupkg's used as part of my build onto an internal ProGet/Artifactory/Nexus server, there is going to be no access to perform this validation check. I am assuming that there is a way to bypass this check when installing NuGet packages in an offline mode? Or have I got things completely wrong? |
/cc: @rido-min, @karann-msft |
Based on this, can we get some clarity on what is meant by this:
Is there an issue that we can track where this is being worked on? In my opinion, this is a major failing, and it will mean that systems like Artifactory, ProGet, Nexus, and likely many others will start failing, where they had worked perfectly before. How is this, dare I say it, breaking change, being communicated? |
We are looking to fix this soon - mostly 4.8.1 (as bits for 4.8.0 is almost locked). |
@anangaur Can you please wait with further rolling out repository signing (for old packages) on nuget.org until this fix has been released, to avoid fully breaking enterprise environments? |
@gep13 We are planning to provide a flag for offline-only revocation checks. @pascalberger, we are not signing the old packages yet. Only new packages are being repo-signed. We will start repo-signing old packages once we roll out the above mentioned option. |
@anangaur thank you very much for confirming. This will certainly help in a number of scenarios. |
We are looking forward to be able to disable the revocation checks on nuget restore. In the meantime our solution is to redirect the revocation-server calls to localhost. This way the revocation checks will fail much faster. You can catch the list of servers nuget verify tries to reach with Fiddler and make an entry in your host file for each of them (maybe you need to clear your local dns cache : ipconfig /flushdns ) Host file
Nuget also makes a call to ctldl.windowsupdate.com. But this one is hardcoded in Windows (%WINDIR%\system32\dnsapi.dll) and can not be overwritten in the host file. |
hey @pascalberger, @gep13, @adrian-moll I have a PR with a fix for this, would any of you have time Today to help me out test the private bits to make sure this approach fixes correctly the issues you are seeing? Let me know how I can send you a build of nuget.exe to test! Thanks! |
@PatoBeltran I can do some tests |
@pascalberger awesome! thanks so much. Here you will find a private build of nuget.exe with those changes, with this build you should be able to set
Please let me know if you have any questions and if this works for you! |
@PatoBeltran |
Awesome to hear that! Thanks for the confirmation, I will work to get this changes merged and published as soon as possible. |
Closing this since it was fixed by #7173, this code should ship in the next release. |
@adrian-moll wouldn't it be better to black-hole instead of causing (hopefully) failing traffic to loopback?
|
nuget.exe 4.8.1 has just shipped with the fix for this issue. You can download it at https://www.nuget.org/downloads |
@PatoBeltran can you point at where the documentation for enabling an offline build is? Thanks |
@PatoBeltran @gep13 I've also created another issue for this: #7262 |
@karann-msft it say's NuGet 4.6.0+ in the article but didn't this fix ship with 4.8.1? So maybe make it more clear that which version env var works in? |
@devlead The issue itself may manifest from 4.6 (clients that support signing). The proposed solution - ‘offline revocation check’ exists in 4.8.1. Just submitted an edit to the docs to state this. Will be live soon. |
@anangaur excellent, that will save people time debugging, if they're trying with an older version 👍 |
VS 2017 15.8.4 has this fix as well -- available today. |
@rrelyea So, you ship a not recommendet version (as per https://www.nuget.org/downloads) to thousands of customers? 😕 Wouldn't it be a wise idea to make it the recommendet version first including proper documentation (as already asked here: #7262) and also note this change in Visual Studio release notes. |
I'm in an offline environment with an in-house package server (using ProGet). If I try to install a signed package it takes 4 minutes until installation succeeds.
How can I install signed packages in an offline environment without access to nuget.org?
Details about Problem
NuGet product used (NuGet.exe | VS UI | Package Manager Console | dotnet.exe): NuGet.exe
NuGet version (x.x.x.xxx): 4.6.2 (Latest recommended)
dotnet.exe --version (if appropriate): -
VS version (if appropriate): -
OS version (i.e. win10 v1607 (14393.321)):
Worked before? If so, with which NuGet version:
Detailed repro steps so we can see the same problem
Other suggested things
Verbose Logs
The text was updated successfully, but these errors were encountered: