From a63d8f7955207255b2543c7da70d9f100db37feb Mon Sep 17 00:00:00 2001
From: Damon Tivel <dtivel@microsoft.com>
Date: Wed, 22 Mar 2023 16:57:39 -0700
Subject: [PATCH 1/3] Add NU3042

---
 docs/TOC.md                                  |  1 +
 docs/reference/Errors-and-Warnings.md        |  2 +-
 docs/reference/errors-and-warnings/NU3042.md | 37 ++++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 docs/reference/errors-and-warnings/NU3042.md

diff --git a/docs/TOC.md b/docs/TOC.md
index c748393be..27dcbf2d6 100644
--- a/docs/TOC.md
+++ b/docs/TOC.md
@@ -226,6 +226,7 @@
 ### [NU3037](reference/errors-and-warnings/NU3037.md)
 ### [NU3038](reference/errors-and-warnings/NU3038.md)
 ### [NU3040](reference/errors-and-warnings/NU3040.md)
+### [NU3042](reference/errors-and-warnings/NU3042.md)
 ### [NU5000](reference/errors-and-warnings/NU5000.md)
 ### [NU5001](reference/errors-and-warnings/NU5001.md)
 ### [NU5002](reference/errors-and-warnings/NU5002.md)
diff --git a/docs/reference/Errors-and-Warnings.md b/docs/reference/Errors-and-Warnings.md
index a537a9d7f..e06106f95 100644
--- a/docs/reference/Errors-and-Warnings.md
+++ b/docs/reference/Errors-and-Warnings.md
@@ -47,7 +47,7 @@ NuGet supports the following configuration properties.
 | Package fallback warnings | [NU1701](./errors-and-warnings/NU1701.md) |
 | Feed warnings | [NU1801](./errors-and-warnings/NU1801.md), [NU1802](./errors-and-warnings/NU1802.md), [NU1803](./errors-and-warnings/NU1803.md) |
 | NuGet internal warnings | [NU1500](./errors-and-warnings/NU1500.md) |
-| Signed packages warnings (creation and verification) | [NU3000](./errors-and-warnings/NU3000.md), [NU3002](./errors-and-warnings/NU3002.md), [NU3003](./errors-and-warnings/NU3003.md), [NU3006](./errors-and-warnings/NU3006.md), [NU3007](./errors-and-warnings/NU3007.md), [NU3009](./errors-and-warnings/NU3009.md), [NU3010](./errors-and-warnings/NU3010.md), [NU3011](./errors-and-warnings/NU3011.md), [NU3012](./errors-and-warnings/NU3012.md), [NU3013](./errors-and-warnings/NU3013.md), [NU3014](./errors-and-warnings/NU3014.md), [NU3015](./errors-and-warnings/NU3015.md), [NU3016](./errors-and-warnings/NU3016.md), [NU3017](./errors-and-warnings/NU3017.md), [NU3018](./errors-and-warnings/NU3018.md), [NU3019](./errors-and-warnings/NU3019.md), [NU3020](./errors-and-warnings/NU3020.md), [NU3021](./errors-and-warnings/NU3021.md), [NU3022](./errors-and-warnings/NU3022.md), [NU3023](./errors-and-warnings/NU3023.md), [NU3024](./errors-and-warnings/NU3024.md), [NU3025](./errors-and-warnings/NU3025.md), [NU3026](./errors-and-warnings/NU3026.md), [NU3027](./errors-and-warnings/NU3027.md), [NU3028](./errors-and-warnings/NU3028.md), [NU3029](./errors-and-warnings/NU3029.md), [NU3030](./errors-and-warnings/NU3030.md), [NU3031](./errors-and-warnings/NU3031.md), [NU3032](./errors-and-warnings/NU3032.md), [NU3033](./errors-and-warnings/NU3033.md), [NU3035](./errors-and-warnings/NU3035.md), [NU3036](./errors-and-warnings/NU3036.md), [NU3037](./errors-and-warnings/NU3037.md), [NU3038](./errors-and-warnings/NU3038.md), [NU3040](./errors-and-warnings/NU3040.md) |
+| Signed packages warnings (creation and verification) | [NU3000](./errors-and-warnings/NU3000.md), [NU3002](./errors-and-warnings/NU3002.md), [NU3003](./errors-and-warnings/NU3003.md), [NU3006](./errors-and-warnings/NU3006.md), [NU3007](./errors-and-warnings/NU3007.md), [NU3009](./errors-and-warnings/NU3009.md), [NU3010](./errors-and-warnings/NU3010.md), [NU3011](./errors-and-warnings/NU3011.md), [NU3012](./errors-and-warnings/NU3012.md), [NU3013](./errors-and-warnings/NU3013.md), [NU3014](./errors-and-warnings/NU3014.md), [NU3015](./errors-and-warnings/NU3015.md), [NU3016](./errors-and-warnings/NU3016.md), [NU3017](./errors-and-warnings/NU3017.md), [NU3018](./errors-and-warnings/NU3018.md), [NU3019](./errors-and-warnings/NU3019.md), [NU3020](./errors-and-warnings/NU3020.md), [NU3021](./errors-and-warnings/NU3021.md), [NU3022](./errors-and-warnings/NU3022.md), [NU3023](./errors-and-warnings/NU3023.md), [NU3024](./errors-and-warnings/NU3024.md), [NU3025](./errors-and-warnings/NU3025.md), [NU3026](./errors-and-warnings/NU3026.md), [NU3027](./errors-and-warnings/NU3027.md), [NU3028](./errors-and-warnings/NU3028.md), [NU3029](./errors-and-warnings/NU3029.md), [NU3030](./errors-and-warnings/NU3030.md), [NU3031](./errors-and-warnings/NU3031.md), [NU3032](./errors-and-warnings/NU3032.md), [NU3033](./errors-and-warnings/NU3033.md), [NU3035](./errors-and-warnings/NU3035.md), [NU3036](./errors-and-warnings/NU3036.md), [NU3037](./errors-and-warnings/NU3037.md), [NU3038](./errors-and-warnings/NU3038.md), [NU3040](./errors-and-warnings/NU3040.md), [NU3042](./errors-and-warnings/NU3042.md) |
 | Pack Warnings | [NU5100](./errors-and-warnings/NU5100.md), [NU5101](./errors-and-warnings/NU5101.md), [NU5102](./errors-and-warnings/NU5102.md), [NU5103](./errors-and-warnings/NU5103.md), [NU5104](./errors-and-warnings/NU5104.md), [NU5105](./errors-and-warnings/NU5105.md), [NU5106](./errors-and-warnings/NU5106.md), [NU5107](./errors-and-warnings/NU5107.md), [NU5108](./errors-and-warnings/NU5108.md), [NU5109](./errors-and-warnings/NU5109.md), [NU5110](./errors-and-warnings/NU5110.md), [NU5111](./errors-and-warnings/NU5111.md), [NU5112](./errors-and-warnings/NU5112.md), [NU5114](./errors-and-warnings/NU5114.md), [NU5115](./errors-and-warnings/NU5115.md), [NU5116](./errors-and-warnings/NU5116.md), [NU5117](./errors-and-warnings/NU5117.md), [NU5118](./errors-and-warnings/NU5118.md), [NU5119](./errors-and-warnings/NU5119.md), [NU5120](./errors-and-warnings/NU5120.md), [NU5121](./errors-and-warnings/NU5121.md), [NU5122](./errors-and-warnings/NU5122.md), [NU5123](./errors-and-warnings/NU5123.md), [NU5127](./errors-and-warnings/NU5127.md), [NU5128](./errors-and-warnings/NU5128.md), [NU5129](./errors-and-warnings/NU5129.md), [NU5130](./errors-and-warnings/NU5130.md), [NU5131](./errors-and-warnings/NU5131.md), [NU5133](./errors-and-warnings/NU5133.md), [NU5500](./errors-and-warnings/NU5500.md), [NU5501](./errors-and-warnings/NU5501.md)
 | License specific Pack Warnings | [NU5124](./errors-and-warnings/NU5124.md), [NU5125](./errors-and-warnings/NU5125.md)
 | Icon specific Pack Warnings | [NU5046](./errors-and-warnings/NU5046.md), [NU5047](./errors-and-warnings/NU5047.md), [NU5048](./errors-and-warnings/NU5048.md) |
diff --git a/docs/reference/errors-and-warnings/NU3042.md b/docs/reference/errors-and-warnings/NU3042.md
new file mode 100644
index 000000000..31275c67f
--- /dev/null
+++ b/docs/reference/errors-and-warnings/NU3042.md
@@ -0,0 +1,37 @@
+---
+title: NuGet Warning NU3042
+description: NU3042 warning code
+author: dtivel
+ms.author: dtivel
+ms.date: 03/22/2023
+ms.topic: reference
+ms.reviewer: 
+f1_keywords: 
+  - "NU3042"
+---
+
+# NuGet Warning NU3042
+
+*NuGet 6.6.0+ on Linux and macOS only*
+
+<pre>The following X.509 root certificate is untrusted because it is not present in the certificate bundle at &lt;file-path&gt;.  For more information, visit https://aka.ms/nuget/NU3042.
+    Subject:  &lt;certificate subject&gt;
+    Fingerprint (SHA-256):  &lt;certificate fingerprint&gt;
+    Certificate (PEM):
+&lt;PEM-encoded certificate&gt;</pre>
+
+### Issue
+Warning NU3042 is raised when signed package verification failed because a root certificate was not found in the appropriate trusted root certificate bundle, either code signing or timestamping.  This warning will only be raised on Linux and macOS when signed package verification is enabled, never on Windows.  NU3042 should accompany an [NU3018](NU3018.md) or [NU3028](NU3028.md).
+
+Each .NET 7+ SDK release contains two root certificate bundles sourced from the [Microsoft Trusted Root Program](https://aka.ms/RootCert).  One certificate bundle contains all trusted roots valid for code signing, while the other contains all trusted roots valid for timestamping.  NuGet uses these certificate bundles on Linux and macOS when signed package verification is enabled.
+
+On Linux, NuGet will prefer a system-provided code signing certificate bundle, if present, over the .NET SDK's code signing certificate bundle.  For more information, see [NuGet signed-package verification](https://learn.microsoft.com/dotnet/core/tools/nuget-signed-package-verification#linux).
+
+You will see NU3042 if a certificate bundle does not contain the root certificate referenced in the warning.  This is likely because the .NET SDK's certificate bundles are out of date or on Linux you have an existing system certificate bundle which does not contain the root certificate referenced in the warning.  
+
+### Solution
+On Linux, if you are using a system-provided code signing certificate bundle, consider adding the root certificate to the bundle.  This solution may not be suitable because it confers system-wide trust.
+
+If the .NET SDK's certificate bundles are out-of-date, update to a more recent release of the .NET SDK.
+
+If all else fails, opt out of signed package verification by setting the environment variable `DOTNET_NUGET_SIGNATURE_VERIFICATION` to `false` and [open an issue with the NuGet team](https://github.com/NuGet/Home/issues) to suggest how signed package verification can be improved on your platform.
\ No newline at end of file

From baf4dcfb73400c40feda3caedeaebd1db68aa515 Mon Sep 17 00:00:00 2001
From: Damon Tivel <dtivel@microsoft.com>
Date: Wed, 22 Mar 2023 17:07:59 -0700
Subject: [PATCH 2/3] Apply suggestion

---
 docs/reference/errors-and-warnings/NU3042.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/errors-and-warnings/NU3042.md b/docs/reference/errors-and-warnings/NU3042.md
index 31275c67f..e4eb8584b 100644
--- a/docs/reference/errors-and-warnings/NU3042.md
+++ b/docs/reference/errors-and-warnings/NU3042.md
@@ -25,7 +25,7 @@ Warning NU3042 is raised when signed package verification failed because a root
 
 Each .NET 7+ SDK release contains two root certificate bundles sourced from the [Microsoft Trusted Root Program](https://aka.ms/RootCert).  One certificate bundle contains all trusted roots valid for code signing, while the other contains all trusted roots valid for timestamping.  NuGet uses these certificate bundles on Linux and macOS when signed package verification is enabled.
 
-On Linux, NuGet will prefer a system-provided code signing certificate bundle, if present, over the .NET SDK's code signing certificate bundle.  For more information, see [NuGet signed-package verification](https://learn.microsoft.com/dotnet/core/tools/nuget-signed-package-verification#linux).
+On Linux, NuGet will prefer a system-provided code signing certificate bundle, if present, over the .NET SDK's code signing certificate bundle.  For more information, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification#linux).
 
 You will see NU3042 if a certificate bundle does not contain the root certificate referenced in the warning.  This is likely because the .NET SDK's certificate bundles are out of date or on Linux you have an existing system certificate bundle which does not contain the root certificate referenced in the warning.  
 

From a913ec8717c661a50bb5706abf8b8bb291267f68 Mon Sep 17 00:00:00 2001
From: Damon Tivel <dtivel@microsoft.com>
Date: Mon, 27 Mar 2023 10:11:54 -0700
Subject: [PATCH 3/3] Apply feedback

---
 docs/reference/errors-and-warnings/NU3018.md |  2 ++
 docs/reference/errors-and-warnings/NU3028.md |  4 +++-
 docs/reference/errors-and-warnings/NU3042.md | 17 ++++++++++++-----
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/docs/reference/errors-and-warnings/NU3018.md b/docs/reference/errors-and-warnings/NU3018.md
index 90cda228c..62f58ee6b 100644
--- a/docs/reference/errors-and-warnings/NU3018.md
+++ b/docs/reference/errors-and-warnings/NU3018.md
@@ -25,3 +25,5 @@ Please ensure that the package signature has a valid certificate chain. You can
 > [!Note]
 > When NuGet’s [signature validation mode](../../consume-packages/installing-signed-packages.md#configure-package-signature-requirements) is set to accept (default), NU3018 is raised as a warning.
 > When NuGet’s signature validation mode is set to require, or when running the `nuget verify -signatures` command, NU3018 is elevated from a warning to an error in most cases.
+
+For Linux and macOS, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification).  Specifically for untrusted root certificate warnings/errors on Linux and macOS, also see [NU3042](NU3042.md).
\ No newline at end of file
diff --git a/docs/reference/errors-and-warnings/NU3028.md b/docs/reference/errors-and-warnings/NU3028.md
index bbb2e1e8e..eaa14485e 100644
--- a/docs/reference/errors-and-warnings/NU3028.md
+++ b/docs/reference/errors-and-warnings/NU3028.md
@@ -24,6 +24,8 @@ On Windows only, this issue may occur the first time a root certificate is obser
 ### Solution
 Use a trusted and valid certificate. Check internet connectivity.
 
+For Linux and macOS, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification).  Specifically for untrusted root certificate warnings/errors on Linux and macOS, also see [NU3042](NU3042.md).
+
 #### Revocation check mode
 > [!Note]
 > This option is available starting from NuGet 4.8.1.
@@ -52,4 +54,4 @@ For example, setting the environment variable to a value of `3,1000` like so:
 
 > [!Note]
 > NU3028 is raised as an error in most cases. 
-> When NuGet’s [signature validation mode](../../consume-packages/installing-signed-packages.md#configure-package-signature-requirements) is set to accept (default), NU3028 is raised as a warning in some cases.
+> When NuGet’s [signature validation mode](../../consume-packages/installing-signed-packages.md#configure-package-signature-requirements) is set to accept (default), NU3028 is raised as a warning in some cases.
\ No newline at end of file
diff --git a/docs/reference/errors-and-warnings/NU3042.md b/docs/reference/errors-and-warnings/NU3042.md
index e4eb8584b..57c74bd3a 100644
--- a/docs/reference/errors-and-warnings/NU3042.md
+++ b/docs/reference/errors-and-warnings/NU3042.md
@@ -14,7 +14,7 @@ f1_keywords:
 
 *NuGet 6.6.0+ on Linux and macOS only*
 
-<pre>The following X.509 root certificate is untrusted because it is not present in the certificate bundle at &lt;file-path&gt;.  For more information, visit https://aka.ms/nuget/NU3042.
+<pre>The following X.509 root certificate is untrusted because it is not present in the certificate bundle at &lt;file-path&gt;.  For more information, see documentation for NU3042.
     Subject:  &lt;certificate subject&gt;
     Fingerprint (SHA-256):  &lt;certificate fingerprint&gt;
     Certificate (PEM):
@@ -25,13 +25,20 @@ Warning NU3042 is raised when signed package verification failed because a root
 
 Each .NET 7+ SDK release contains two root certificate bundles sourced from the [Microsoft Trusted Root Program](https://aka.ms/RootCert).  One certificate bundle contains all trusted roots valid for code signing, while the other contains all trusted roots valid for timestamping.  NuGet uses these certificate bundles on Linux and macOS when signed package verification is enabled.
 
-On Linux, NuGet will prefer a system-provided code signing certificate bundle, if present, over the .NET SDK's code signing certificate bundle.  For more information, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification#linux).
+On Linux, NuGet will prefer a system-wide code signing certificate bundle over the .NET SDK's code signing certificate bundle.
 
-You will see NU3042 if a certificate bundle does not contain the root certificate referenced in the warning.  This is likely because the .NET SDK's certificate bundles are out of date or on Linux you have an existing system certificate bundle which does not contain the root certificate referenced in the warning.  
+The root cause for NU3042 is likely one of the following:
+
+* (Linux only) The system-wide code signing certificate bundle does not contain the root certificate referenced in the warning.
+* The .NET SDK's certificate bundles are out of date.
+
+For more information, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification).
 
 ### Solution
-On Linux, if you are using a system-provided code signing certificate bundle, consider adding the root certificate to the bundle.  This solution may not be suitable because it confers system-wide trust.
+On Linux, if you trust the certificate and are using a system-wide code signing certificate bundle, consider adding the root certificate to the bundle.  This solution may not be suitable because it will grant system-wide trust.
 
 If the .NET SDK's certificate bundles are out-of-date, update to a more recent release of the .NET SDK.
 
-If all else fails, opt out of signed package verification by setting the environment variable `DOTNET_NUGET_SIGNATURE_VERIFICATION` to `false` and [open an issue with the NuGet team](https://github.com/NuGet/Home/issues) to suggest how signed package verification can be improved on your platform.
\ No newline at end of file
+If all else fails, opt out of signed package verification by setting the environment variable `DOTNET_NUGET_SIGNATURE_VERIFICATION` to `false` and [open an issue with the NuGet team](https://github.com/NuGet/Home/issues) to suggest how signed package verification can be improved on your platform.
+
+For more information, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification).
\ No newline at end of file