NuGet package restore broken on .NET 5+ with Removal of Trust of VeriSign CA

[richlander]

NuGet package restore broken on .NET 5+ with Removal of Trust of VeriSign CA

NuGet package signing verification relies on the VeriSign Universal Root Certification Authority as part of establishing a chain-of-trust for NuGet packages. VeriSign Universal Root Certification Authority was recently removed from NSS and ca-certificates packages. This removal effectively breaks NuGet package signing verification, which has the result of breaking the ability to restore NuGet packages.

This break in behavior is only observed with .NET 5 and .NET 6, which have NuGet package verification enabled (and it cannot be disabled). NET 5 NuGet Restore Failures on Linux distributions has been observed on some distros already and we expect it to become pervasive quickly as more distros are updated to include more recent version of NSS and ca-certificates (with the VeriSign CA removed). We are in the process of releasing updated builds of .NET 5 and .NET 6 that have NuGet package verification disabled on Linux and macOS.

We need developers, companies, and commercial providers to install (or otherwise use) updated builds of .NET 5 and .NET 6 if you rely on those .NET versions on Linux. If you adopt the updated .NET versions soon, you should not observe a break in functional behavior, and will be able to confidently update to newer versions of NSS and ca-certificates packages.

Updates:

• NuGet repository signature certificate will expire on April 14th, 2021
• .NET 5 NuGet Restore Failures on Linux distributions using NSS or ca-certificates (NuGet blog)
• .NET April 2021 Updates – 5.0.5 (.NET blog)
• .NET 6 Preview 3

Discussion

Please share your feedback on this topic and see what others are saying at:

NuGet/Home#10712

Updated .NET builds

New .NET builds will be provided with NuGet package verification disabled on Linux and macOS. The following are the expected release dates:

• .NET SDK 5.0.202 -- April 6, 2021.
• .NET 6 Preview 3 -- April 8, 2021.

New container images will be published for Alpine, Debian, and Ubuntu on both of these dates, for the respective releases.

These builds include significant additional functionality beyond disabling NuGet package verification. We originally planned to release these builds as regular releases for all supported operating systems and architectures, targeting April 13th. We made two changes from our original release plan: earlier release dates and include the change in NuGet functionality for Linux and macOS.

Who is affected

.NET 5+ users will be affected on any operating system that has removed the VeriSign Universal Root Certification Authority. We are maintaining a list of Linux distros that are known to be affected.

nuget.exe is sometimes used on Linux with Mono. This scenario is not affected.

There has been an industry-wide movement to distrust the VeriSign root CA, including companies like Apple, Google, Microsoft, and Mozilla. This may mean that at anytime in the future, Apple and Microsoft can remove VeriSign Universal Root Certification Authority from their trusted root CA list.

Solution

The NuGet team has disabled the package verification feature for macOS and Linux. If needed, we will disable the feature for Windows at a later time. This change will be available in the updated .NET builds covered earlier.

We are also talking to some Linux distro package maintainers to ask them to delay the removal of the VeriSign Universal Root Certification Authority (for code signing only). Even a month of grace would help a lot, to enable .NET users on Linux to adopt the newer .NET 5 and .NET 6 builds.

To clarify, this change does not affect .NET Core 3.1 and earlier versions. It does not affect .NET Framework. It does not affect any .NET functionality on Windows, at least not at this time.

More Context

We observed NuGet Restore Issues on Debian Family Linux Distros in January, 2021. This led us to discover that there has been an industry-wide movement to remove the VeriSign Universal Root Certification Authority.

NuGet has historically relied on two key certificates:

• NuGet Microsoft Author Signing Certificate Update - Expired January 27th, 2021
• NuGet.org Repository Signing Certificate Update - Expires April 14th, 2021

After those certificates expire, the NuGet client falls back to timestamp verification, which enables package verification to still function. The timestamp verification relies on VeriSign root certificate authority. The absence of this root certificate authority being available on a machine means that timestamp verification is no longer functional, which causes package signature verification to fail.

Security is very important to us. We are putting together a plan to use a new system that will allow us to re-enable package signing verification on all supported operating systems. We will have more to share on our future plans once we are sure that all systems are once again functional.

.NET 5 NuGet Restore Failures on Linux distributions provides more details on error messages, affected environments, and solutions.