Document new warning NU3042 (#3034)

docs/TOC.md

@@ -226,6 +226,7 @@
 ### [NU3037](reference/errors-and-warnings/NU3037.md)
 ### [NU3038](reference/errors-and-warnings/NU3038.md)
 ### [NU3040](reference/errors-and-warnings/NU3040.md)
+### [NU3042](reference/errors-and-warnings/NU3042.md)
 ### [NU5000](reference/errors-and-warnings/NU5000.md)
 ### [NU5001](reference/errors-and-warnings/NU5001.md)
 ### [NU5002](reference/errors-and-warnings/NU5002.md)

docs/reference/Errors-and-Warnings.md

@@ -47,7 +47,7 @@ NuGet supports the following configuration properties.
 | Package fallback warnings | [NU1701](./errors-and-warnings/NU1701.md) |
 | Feed warnings | [NU1801](./errors-and-warnings/NU1801.md), [NU1802](./errors-and-warnings/NU1802.md), [NU1803](./errors-and-warnings/NU1803.md) |
 | NuGet internal warnings | [NU1500](./errors-and-warnings/NU1500.md) |
-| Signed packages warnings (creation and verification) | [NU3000](./errors-and-warnings/NU3000.md), [NU3002](./errors-and-warnings/NU3002.md), [NU3003](./errors-and-warnings/NU3003.md), [NU3006](./errors-and-warnings/NU3006.md), [NU3007](./errors-and-warnings/NU3007.md), [NU3009](./errors-and-warnings/NU3009.md), [NU3010](./errors-and-warnings/NU3010.md), [NU3011](./errors-and-warnings/NU3011.md), [NU3012](./errors-and-warnings/NU3012.md), [NU3013](./errors-and-warnings/NU3013.md), [NU3014](./errors-and-warnings/NU3014.md), [NU3015](./errors-and-warnings/NU3015.md), [NU3016](./errors-and-warnings/NU3016.md), [NU3017](./errors-and-warnings/NU3017.md), [NU3018](./errors-and-warnings/NU3018.md), [NU3019](./errors-and-warnings/NU3019.md), [NU3020](./errors-and-warnings/NU3020.md), [NU3021](./errors-and-warnings/NU3021.md), [NU3022](./errors-and-warnings/NU3022.md), [NU3023](./errors-and-warnings/NU3023.md), [NU3024](./errors-and-warnings/NU3024.md), [NU3025](./errors-and-warnings/NU3025.md), [NU3026](./errors-and-warnings/NU3026.md), [NU3027](./errors-and-warnings/NU3027.md), [NU3028](./errors-and-warnings/NU3028.md), [NU3029](./errors-and-warnings/NU3029.md), [NU3030](./errors-and-warnings/NU3030.md), [NU3031](./errors-and-warnings/NU3031.md), [NU3032](./errors-and-warnings/NU3032.md), [NU3033](./errors-and-warnings/NU3033.md), [NU3035](./errors-and-warnings/NU3035.md), [NU3036](./errors-and-warnings/NU3036.md), [NU3037](./errors-and-warnings/NU3037.md), [NU3038](./errors-and-warnings/NU3038.md), [NU3040](./errors-and-warnings/NU3040.md) |
+| Signed packages warnings (creation and verification) | [NU3000](./errors-and-warnings/NU3000.md), [NU3002](./errors-and-warnings/NU3002.md), [NU3003](./errors-and-warnings/NU3003.md), [NU3006](./errors-and-warnings/NU3006.md), [NU3007](./errors-and-warnings/NU3007.md), [NU3009](./errors-and-warnings/NU3009.md), [NU3010](./errors-and-warnings/NU3010.md), [NU3011](./errors-and-warnings/NU3011.md), [NU3012](./errors-and-warnings/NU3012.md), [NU3013](./errors-and-warnings/NU3013.md), [NU3014](./errors-and-warnings/NU3014.md), [NU3015](./errors-and-warnings/NU3015.md), [NU3016](./errors-and-warnings/NU3016.md), [NU3017](./errors-and-warnings/NU3017.md), [NU3018](./errors-and-warnings/NU3018.md), [NU3019](./errors-and-warnings/NU3019.md), [NU3020](./errors-and-warnings/NU3020.md), [NU3021](./errors-and-warnings/NU3021.md), [NU3022](./errors-and-warnings/NU3022.md), [NU3023](./errors-and-warnings/NU3023.md), [NU3024](./errors-and-warnings/NU3024.md), [NU3025](./errors-and-warnings/NU3025.md), [NU3026](./errors-and-warnings/NU3026.md), [NU3027](./errors-and-warnings/NU3027.md), [NU3028](./errors-and-warnings/NU3028.md), [NU3029](./errors-and-warnings/NU3029.md), [NU3030](./errors-and-warnings/NU3030.md), [NU3031](./errors-and-warnings/NU3031.md), [NU3032](./errors-and-warnings/NU3032.md), [NU3033](./errors-and-warnings/NU3033.md), [NU3035](./errors-and-warnings/NU3035.md), [NU3036](./errors-and-warnings/NU3036.md), [NU3037](./errors-and-warnings/NU3037.md), [NU3038](./errors-and-warnings/NU3038.md), [NU3040](./errors-and-warnings/NU3040.md), [NU3042](./errors-and-warnings/NU3042.md) |
 | Pack Warnings | [NU5100](./errors-and-warnings/NU5100.md), [NU5101](./errors-and-warnings/NU5101.md), [NU5102](./errors-and-warnings/NU5102.md), [NU5103](./errors-and-warnings/NU5103.md), [NU5104](./errors-and-warnings/NU5104.md), [NU5105](./errors-and-warnings/NU5105.md), [NU5106](./errors-and-warnings/NU5106.md), [NU5107](./errors-and-warnings/NU5107.md), [NU5108](./errors-and-warnings/NU5108.md), [NU5109](./errors-and-warnings/NU5109.md), [NU5110](./errors-and-warnings/NU5110.md), [NU5111](./errors-and-warnings/NU5111.md), [NU5112](./errors-and-warnings/NU5112.md), [NU5114](./errors-and-warnings/NU5114.md), [NU5115](./errors-and-warnings/NU5115.md), [NU5116](./errors-and-warnings/NU5116.md), [NU5117](./errors-and-warnings/NU5117.md), [NU5118](./errors-and-warnings/NU5118.md), [NU5119](./errors-and-warnings/NU5119.md), [NU5120](./errors-and-warnings/NU5120.md), [NU5121](./errors-and-warnings/NU5121.md), [NU5122](./errors-and-warnings/NU5122.md), [NU5123](./errors-and-warnings/NU5123.md), [NU5127](./errors-and-warnings/NU5127.md), [NU5128](./errors-and-warnings/NU5128.md), [NU5129](./errors-and-warnings/NU5129.md), [NU5130](./errors-and-warnings/NU5130.md), [NU5131](./errors-and-warnings/NU5131.md), [NU5133](./errors-and-warnings/NU5133.md), [NU5500](./errors-and-warnings/NU5500.md), [NU5501](./errors-and-warnings/NU5501.md)
 | License specific Pack Warnings | [NU5124](./errors-and-warnings/NU5124.md), [NU5125](./errors-and-warnings/NU5125.md)
 | Icon specific Pack Warnings | [NU5046](./errors-and-warnings/NU5046.md), [NU5047](./errors-and-warnings/NU5047.md), [NU5048](./errors-and-warnings/NU5048.md) |

docs/reference/errors-and-warnings/NU3018.md

@@ -25,3 +25,5 @@ Please ensure that the package signature has a valid certificate chain. You can
 > [!Note]
 > When NuGet’s [signature validation mode](../../consume-packages/installing-signed-packages.md#configure-package-signature-requirements) is set to accept (default), NU3018 is raised as a warning.
 > When NuGet’s signature validation mode is set to require, or when running the `nuget verify -signatures` command, NU3018 is elevated from a warning to an error in most cases.
+
+For Linux and macOS, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification).  Specifically for untrusted root certificate warnings/errors on Linux and macOS, also see [NU3042](NU3042.md).

docs/reference/errors-and-warnings/NU3028.md

@@ -24,6 +24,8 @@ On Windows only, this issue may occur the first time a root certificate is obser
 ### Solution
 Use a trusted and valid certificate. Check internet connectivity.
 
+For Linux and macOS, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification).  Specifically for untrusted root certificate warnings/errors on Linux and macOS, also see [NU3042](NU3042.md).
+
 #### Revocation check mode
 > [!Note]
 > This option is available starting from NuGet 4.8.1.
@@ -52,4 +54,4 @@ For example, setting the environment variable to a value of `3,1000` like so:
 
 > [!Note]
 > NU3028 is raised as an error in most cases. 
-> When NuGet’s [signature validation mode](../../consume-packages/installing-signed-packages.md#configure-package-signature-requirements) is set to accept (default), NU3028 is raised as a warning in some cases.
+> When NuGet’s [signature validation mode](../../consume-packages/installing-signed-packages.md#configure-package-signature-requirements) is set to accept (default), NU3028 is raised as a warning in some cases.

docs/reference/errors-and-warnings/NU3042.md

@@ -0,0 +1,44 @@
+---
+title: NuGet Warning NU3042
+description: NU3042 warning code
+author: dtivel
+ms.author: dtivel
+ms.date: 03/22/2023
+ms.topic: reference
+ms.reviewer: 
+f1_keywords: 
+  - "NU3042"
+---
+
+# NuGet Warning NU3042
+
+*NuGet 6.6.0+ on Linux and macOS only*
+
+<pre>The following X.509 root certificate is untrusted because it is not present in the certificate bundle at &lt;file-path&gt;.  For more information, see documentation for NU3042.
+    Subject:  &lt;certificate subject&gt;
+    Fingerprint (SHA-256):  &lt;certificate fingerprint&gt;
+    Certificate (PEM):
+&lt;PEM-encoded certificate&gt;</pre>
+
+### Issue
+Warning NU3042 is raised when signed package verification failed because a root certificate was not found in the appropriate trusted root certificate bundle, either code signing or timestamping.  This warning will only be raised on Linux and macOS when signed package verification is enabled, never on Windows.  NU3042 should accompany an [NU3018](NU3018.md) or [NU3028](NU3028.md).
+
+Each .NET 7+ SDK release contains two root certificate bundles sourced from the [Microsoft Trusted Root Program](https://aka.ms/RootCert).  One certificate bundle contains all trusted roots valid for code signing, while the other contains all trusted roots valid for timestamping.  NuGet uses these certificate bundles on Linux and macOS when signed package verification is enabled.
+
+On Linux, NuGet will prefer a system-wide code signing certificate bundle over the .NET SDK's code signing certificate bundle.
+
+The root cause for NU3042 is likely one of the following:
+
+* (Linux only) The system-wide code signing certificate bundle does not contain the root certificate referenced in the warning.
+* The .NET SDK's certificate bundles are out of date.
+
+For more information, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification).
+
+### Solution
+On Linux, if you trust the certificate and are using a system-wide code signing certificate bundle, consider adding the root certificate to the bundle.  This solution may not be suitable because it will grant system-wide trust.
+
+If the .NET SDK's certificate bundles are out-of-date, update to a more recent release of the .NET SDK.
+
+If all else fails, opt out of signed package verification by setting the environment variable `DOTNET_NUGET_SIGNATURE_VERIFICATION` to `false` and [open an issue with the NuGet team](https://github.com/NuGet/Home/issues) to suggest how signed package verification can be improved on your platform.
+
+For more information, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification).