Packages in dotnet\sdk\NuGetFallbackFolder have invalid signature

[AArnott]

A relapse of #7414 has occurred:

Warning NU3005 Package 'System.Memory 4.5.1' from source 'C:\Program Files\dotnet\sdk\NuGetFallbackFolder': The package signature file entry is invalid. The central directory header field 'compression method' has an invalid value (8).

Repro steps:

git clone https://github.com/aarnott/nerdbank.streams.git
cd nerdbank.streams\src
nerdbank.streams.sln

Restore and build in VS.

VS version: 28916.44.d16.2

[rrelyea]

What NetCore SDKs do you have installed on that computer?

repro notes: was not able to repro on 16.2.0 P1 [28914.39.d16.2]

[AArnott]

Only a few 😛

dotnet --list-sdks
1.1.12 [C:\Program Files\dotnet\sdk]
1.1.13 [C:\Program Files\dotnet\sdk]
2.1.202 [C:\Program Files\dotnet\sdk]
2.1.300 [C:\Program Files\dotnet\sdk]
2.1.400-preview-009063 [C:\Program Files\dotnet\sdk]
2.1.400-preview-009088 [C:\Program Files\dotnet\sdk]
2.1.400-preview-009171 [C:\Program Files\dotnet\sdk]
2.1.400 [C:\Program Files\dotnet\sdk]
2.1.401 [C:\Program Files\dotnet\sdk]
2.1.402 [C:\Program Files\dotnet\sdk]
2.1.403 [C:\Program Files\dotnet\sdk]
2.1.500-preview-009266 [C:\Program Files\dotnet\sdk]
2.1.500-preview-009297 [C:\Program Files\dotnet\sdk]
2.1.500-preview-009324 [C:\Program Files\dotnet\sdk]
2.1.500-preview-009335 [C:\Program Files\dotnet\sdk]
2.1.500-preview-009398 [C:\Program Files\dotnet\sdk]
2.1.500-preview-009404 [C:\Program Files\dotnet\sdk]
2.1.500 [C:\Program Files\dotnet\sdk]
2.1.502 [C:\Program Files\dotnet\sdk]
2.1.503 [C:\Program Files\dotnet\sdk]
2.1.504 [C:\Program Files\dotnet\sdk]
2.1.505 [C:\Program Files\dotnet\sdk]
2.1.506 [C:\Program Files\dotnet\sdk]
2.1.507 [C:\Program Files\dotnet\sdk]
2.1.600-preview-009426 [C:\Program Files\dotnet\sdk]
2.1.600-preview-009472 [C:\Program Files\dotnet\sdk]
2.1.600-preview-009497 [C:\Program Files\dotnet\sdk]
2.1.600 [C:\Program Files\dotnet\sdk]
2.1.601 [C:\Program Files\dotnet\sdk]
2.1.602 [C:\Program Files\dotnet\sdk]
2.1.700-preview-009597 [C:\Program Files\dotnet\sdk]
2.1.700-preview-009601 [C:\Program Files\dotnet\sdk]
2.1.700-preview-009618 [C:\Program Files\dotnet\sdk]
2.1.800-preview-009677 [C:\Program Files\dotnet\sdk]
2.2.104 [C:\Program Files\dotnet\sdk]
2.2.105 [C:\Program Files\dotnet\sdk]
2.2.200-preview-009431 [C:\Program Files\dotnet\sdk]
2.2.200-preview-009648 [C:\Program Files\dotnet\sdk]
2.2.200-preview-009748 [C:\Program Files\dotnet\sdk]
2.2.200-preview-009804 [C:\Program Files\dotnet\sdk]
2.2.200 [C:\Program Files\dotnet\sdk]
2.2.201 [C:\Program Files\dotnet\sdk]
2.2.202 [C:\Program Files\dotnet\sdk]
2.2.203 [C:\Program Files\dotnet\sdk]
2.2.300-preview-010046 [C:\Program Files\dotnet\sdk]
2.2.300-preview-010050 [C:\Program Files\dotnet\sdk]
2.2.300-preview-010067 [C:\Program Files\dotnet\sdk]
2.2.400-preview-010195 [C:\Program Files\dotnet\sdk]
3.0.100-preview-009812 [C:\Program Files\dotnet\sdk]
3.0.100-preview-010219 [C:\Program Files\dotnet\sdk]

[nkolev92]

I wouldn't say it's a relapse, because that aspect of #7414 was never fixed.

The packages are still treated as tampered if you are using the falllback folder as a source in netcoreapp1.x targeting scenarios.

The one thing that's fixed in the latest builds is using the fallback folder as fallback only. (2.x and later targeting projects).

@rrelyea Am I interpreting the issue correctly?

[AArnott]

@nkolev92 I'm wondering what you're waiting on me for. You've tagged this as Closed (although it's not closed) and you've tagged as WaitingForCustomer (but I don't see any question you're waiting on me to answer).
I would very much like a resolution to this, or for it to be moved to the right repo if this is the wrong one.

[nkolev92]

Sorry about that, it's a loosely used label. It's so that we know that issues need to be actively tracked.

Are you targeting 1.x in the scenarios where this fails?

We can move this back to the SDK side, but I'm not sure if there are any plans for resolution on that end.
@livarcocc Thoughts?

[livarcocc]

It is not clear to me what would be doable by the SDK at this point. If there are ideas, we can listen and evaluate if they would meet a servicing bar for 2.1/2.2.

Otherwise, in 3.0, we are no longer using the fallback folder, so it is addressed there.

[nkolev92]

The only approach that fixes most scenarios is extremely costly and potentially error prone.

• Fix the bug that led to "tampered" packages in the first place. (no fallback folder in 3.0 means no bug like this).
• Newer versions of the SDK that use the fallback folder would do a replace on every package they carry.
• This still wouldn't address issues with packages that are not being carried by that specific version of the SDK anymore.

[nkolev92]

Closing this at this point as an SDK external, where there is not plan to fix it.

[AArnott]

Are you targeting 1.x in the scenarios where this fails?

Yes. I'm multitargeting and netstandard1.6 is one of the targets.

no fallback folder in 3.0 means no bug like this

Just so I'm clear on this: when I use the 3.0 SDK, I can (multi-)target netstandard1.6 and not get the error/warning?

[AArnott]

@nkolev92 Ping. Can you please answer my last question? Today I'm seeing over a dozen warnings in my nerdbank.streams repo's build because of this. It's very annoying and keeps me from noticing the real issues. Will this be fixed simply by a change to global.json to use the 3.0 SDK, even though I'm still targeting netstandard1.6?