Nuget errors when restoring dotnet app inside Docker

[kiddieverts]

Describe the Bug

When I create a new dotnet app using dotnet new console and then dockerize the app and try to build the docker file I get many errors about author's signatures.

(I get this error both in my CI pipeline and also running docker build . locally.)

Steps to Reproduce

Make sure you are on dotnet 5

dotnet --version

I am running on 5.0.101

Run mkdir dktest

Run cd dktest

Run dotnet new console

Edit dktest.csproj and add these lines inside the <Project> tag:

 <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="5.0.1" NoWarn="NU3028" />
  </ItemGroup>

create this Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /source

COPY *.csproj .
RUN dotnet restore

COPY . .
RUN dotnet publish -c release -o /app --no-restore

FROM mcr.microsoft.com/dotnet/runtime:5.0
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["./dotnetapp"]

Run docker build .

Other Information

Here are the error message I get:

/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
  Failed to restore /source/dktest.csproj (in 4.09 sec).
The command '/bin/sh -c dotnet restore' returned a non-zero code: 1

Output of docker version

Client: Docker Engine - Community
Cloud integration: 1.0.7
Version: 20.10.2
API version: 1.41
Go version: go1.13.15
Git commit: 2291f61
Built: Mon Dec 28 16:12:42 2020
OS/Arch: darwin/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.2
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 8891c58
Built: Mon Dec 28 16:15:28 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.3
GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.19.0
GitCommit: de40ad0

Output of docker info

Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
scan: Docker Scan (Docker Inc., v0.5.0)

Server:
Containers: 19
Running: 2
Paused: 0
Stopped: 17
Images: 286
Server Version: 20.10.2
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.121-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 7.778GiB
Name: docker-desktop
ID: W7I4:I2W7:3YAY:OVGQ:S5Y4:FPXT:A2AS:WHZH:YEGU:363R:YGN2:7K2O
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 57
Goroutines: 58
System Time: 2021-01-27T13:58:45.5826594Z
EventsListeners: 3
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

[Gounlaf]

Related to NuGet/Home#10491

[ajuch]

having the same problem:

docker run -it --rm mcr.microsoft.com/dotnet/sdk:5.0-buster-slim
dotnet new console
dotnet add package Microsoft.Extensions.FileProviders.Physical --version 2.1.0```

looks like it's related to https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/

[kiddieverts]

Found a workaround after reading this article:

https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/#client-policy

Create a file called NuGet.Config in the project directory and add this text to it:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>

  <config>
    <add key="signatureValidationMode" value="require" />
  </config>

  <trustedSigners>
    <author name="Microsoft">
      <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
      <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    </author>
  </trustedSigners>

</configuration>

Make sure there is a solution file so the Nuget.Config file will be in the correct scope.

Update the Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /app

COPY dktest.csproj .
# Make sure you copy the Nuget.Config file or else this will not work
COPY ./NuGet.Config .
# Make sure you copy the solution file or else this will not work
COPY ./dktest.sln . 

RUN dotnet restore

COPY . .

RUN dotnet publish -c release -o /app --no-restore

FROM mcr.microsoft.com/dotnet/runtime:5.0
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["./dotnetapp"]

[withkittens]

The workaround doesn't work if a package is not updated to use new signing certificate. For example, Microsoft.CSharp/4.7.0.

[kapitanov]

It seems I've got a working fix!

Put the following into your 'nuget.config` (at solution file level):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>

  <config>
    <add key="signatureValidationMode" value="accept" />
  </config>

  <trustedSigners>
    <author name="Microsoft">
      <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
    </author>
  </trustedSigners>

</configuration>

Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?

[DCNick3]

Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?

It works, but not for all packages. For example, SQLitePCLRaw.lib.e_sqlite3 still fails with NU3034 & NU3028

[codelikemmk]

Same issue as #2548

[olekdes]

I faced the same issue. The reply #2548 (comment) helped me.
In my Dockerfile I replaced two base images

FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-buster-slim AS build

with these ones

FROM mcr.microsoft.com/dotnet/aspnet:5.0-focal AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build

and it solved my problem.

You can find lists of available images on these Microsoft dockerhub pages
https://hub.docker.com/_/microsoft-dotnet-aspnet
https://hub.docker.com/_/microsoft-dotnet-sdk

[ciacco85]

same issue here! @OleksiiDesiatnichenko suggestion solved the issue

[davidzwa]

@ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to -focal:

The problem lies in the SDK version, not the runtime:
Use mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim to get the patched version from 10 hours ago.

Sources of info:

NuGet/Announcements#49

https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/

https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md

[filariow]

Hi @davidzwa, is there a version of the buster (non slim) image with the ca patch?
We're relying on some functionalities, like inotify, that seems not to work in the -slim image.

[MichaelSimons]

@davidzwa, what image tag were you previously using? You should only need to use the ca-patch tags if you were previously using a 5.0 debian sdk image.

[davidzwa]

Ah my bad @MichaelSimons, I was using buster-slim to begin with.
The table in the link I sent NuGet/Announcements#49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing:
https://hub.docker.com/_/microsoft-dotnet-sdk

@filariow please check that link to find the images available.

[r-cass]

By my side my solution got tons of package issued from multiple publishers.
I've managed to get it working by adding cert signature (SHA256) and package owners <owners> in NuGet.Config such as:

<trustedSigners>
    <author name="Microsoft">
      <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
    </author>
    <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
      <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="CF7AC17AD047ECD5FDC36822031B12D4EF078B6F2B4C5E6BA41F8FF2CF4BAD67" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <owners>microsoft;aspnet;nuget;domaindrivendev;dotnetframework</owners>
    </repository>
  </trustedSigners>

Certificate signatures and owners can be found in console output by changing verbosity level like this RUN dotnet restore "./project.csproj" -v d

[davidzwa]

@r-cass you're missing the fix by the docker image devs and solution I posted:

Ah my bad @MichaelSimons, I was using buster-slim to begin with.
The table in the link I sent NuGet/Announcements#49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing:
https://hub.docker.com/_/microsoft-dotnet-sdk

@filariow please check that link to find the images available.

mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-* images have the patch.

[r-cass]

@davidzwa You're right, i didn't notice! I will try this one, thanks!

[lnaie]

@ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to -focal:

The problem lies in the SDK version, not the runtime:
Use mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim to get the patched version from 10 hours ago.

Sources of info:

NuGet/Announcements#49

https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/

https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md

That worked. Thanks!

[MichaelSimons]

Closing this as a duplicate of NuGet/Home#10491. Please follow the guidance at NuGet/Announcements#49, and specifically the workaround for users of the .NET Docker images at NuGet/Announcements#49 (comment).

[Subodh-frnd02]

Still having issues in dotnet restore
.056 /usr/share/dotnet/sdk/6.0.200/NuGet.targets(130,5): error : The SSL connection could not be established, see inner exception