-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DotNetCoreCLI restore - No credentials are available in the security package #10399
Comments
@alexmullans can you take a look at this |
I believe this is due to a known issue in dotnet 2.1.500 when the key starts with a number. Could you please try using a newer version of .NET Core (via https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/tool/dotnet-core-tool-installer?view=azure-devops) and see if that solves the issue? We added a workaround to prefix the generated feed names with "feed-", but it looks like that workaround didn't get into 2019 RTW. The suggested fix however is still to avoid .NET Core 2.1.500. |
@zarenner, thanks, but we are using dotnet\sdk\2.2.101 I was able to work around the problem by taking the generated NuGet.config and adjusting the feed name like you suggested. The only problem is now we need to hard code the NuGet.config. |
@kstabins I tried the following steps and ran my build multiple times. Occasionally it succeeds but mostly not, therefore I cannot state whether these steps have any impact.
I've no idea why it would be temperamental. But this is a big problem for us as it means packages are very difficult to upgrade. @zarenner Any idea when this will be in a patch release? |
@kstabins I believe 2.1.101 may also be affected. I know that 2.1.100 is affected. @nkolev92 may know. @NeoXtreem If you mean when the workaround we added made it into Azure DevOps Server (on-premises), I don't know off-hand. Links for reference: |
2.2.100 and 2.1.500 carry the same NuGet bits, so it is affected. More info in the release notes: https://docs.microsoft.com/en-us/nuget/release-notes/nuget-4.9-rtm#summary-whats-new-in-492 |
Thanks, that's a very useful page. According to that though, looks like 2.2.101 (which @kstabins said they're using) has nuget 4.9.2 though, which should have the fix? |
@zarenner, I don't think the commit you mentioned made it to Azure DevOps 2019 so it's not available on-prem yet. |
|
@zarenner Are you suggesting that if I upgrade .NET Core on the CI server to 2.2 (it's currently on 2.1), then this may solve the problem? |
Assuming that the encoding issue is the cause of your issue (there are other reasons why you might be getting "No credentials are available in the security package"), then yes, upgrading either to the latest 2.1 or 2.2 SDK should solve it. The specific SDK versions are problematic, not 2.1 vs 2.2 overall. Have you confirmed that you have the same issue as @kstabins? |
@zarenner Yes, I am getting that error and I have the encoding mismatch in the generate tempNuGet.config file (the GUID key is prefixed with "x0030" in |
Cool, then upgrading your .NET Core SDK should fix it. |
@zarenner Just to note, I did add a .NET Core SDK Installer step in my build pipeline specifying version 2.2.300 which is then used for the subsequent dotnet restore, but it still failed. Is that what you would expect, and that I should still upgrade the SDK on the server? And what's more interesting is that I tried @kstabin's workaround of including my own NuGet.config as a copy of the temporary one generated, and just changing the key in And an aside (not sure if relevant), if I try putting my own credentials in |
@zarenner We updated to .Net Core 2.2.300 and we still receive the same error. |
As @kstabins found also, it doesn't fix it. As a workaround, I've resorted to using NuGet restore instead with a preceding NuGet Tool Installer step specifying version 5.1.0. Poor show by the Azure Pipelines team on this really. |
Hi @NeoXtreem and @kstabins, Sorry for the delay. I'm glad you've found a workaround. I completely agree with you and apologize that we (as Azure Artifacts and the NuGet/dotnet team) have dropped the ball in many ways on making auth a good experience today. The truth is that throughout the history of the NuGet client, there have been a number of auth-related issues that have often required us to implement workarounds in the build tasks. That has sometimes led to further issues, or at least inconsistencies between tasks in how they do auth especially as new versions of nuget/dotnet come out. In this particular case, I believe what's happening is:
Moving forward, we're planning to introduce build tasks that set up the credential provider for you so you can then simply use dotnet or nuget on their own without needing the existing dotnet/NuGet build tasks at all. However, it will be still a while until these tasks make it into Azure DevOps Server. Adding @infin8x, @elbatk, @zjrunner, @rrelyea, and @nkolev92 to make them aware of these issues and hopefully increase our team's priority on making auth "just work" and adding appropriate documentation. Also adding @jmyersmsft since he has context on NuGet's NTLM issues in case I've misstated something. |
@zarenner, NuGet/Home#5286 was fixed in NuGet 5.0 which is released. Should the dotnet task (or .NET Core SDK?) be upgraded to use this version, to fix the issue properly? Also, your colleague Krishna Verma from Microsoft Support contacted me (I raised a support request via our MPN Partner support plan), and he suggested this solution which uses a Command Line task to call dotnet.exe directly. As with the poster of that solution, this works, and I guess it's because it also uses the credential provider mechanism, and is unaffected by the NTLM authentication issue. But I think my own workaround is better as it avoids command lines and absolute paths. Please let me know your thoughts on the above, and whether I should continue using my existing workaround until you introduce the new build task. |
@NeoXtreem my understanding of that 'fix' is that is it's simply the added support for ValidAuthenticationTypes (which still must be specified, so it's not an 'automatic' fix). @nkolev92 in case there are more changes than that. Therefore I'm not sure that upgrading the dotnet pipelines task to use a new SDK (which you can already do with a tool installer task) is worthwhile for this issue. Directly invoking 'dotnet' via a script/cmdline task will be be our strong recommendation going forward once the auth tasks are ready, so if a solution involving directly invoking 'dotnet' works for you today, I would recommend that. Specifying an absolute path shouldn't be necessary at least when using a Tool Installer task, which should be putting it on the path. |
The fix for 5286 on its own does indeed only add support for reading ValidAuthenticationTypes from the config. My guess is that the build agent is running as a Windows domain user which has access to the feed, and when running dotnet.exe directly, there's an environmental difference such that credentials from the config are (for whatever reason) not being picked up at all, so NuGet is actually authenticating as that Windows domain user over NTLM/Kerberos rather than authenticating as the build identity. |
Yeah that seems likely. As such, @NeoXtreem here's some options:
|
@zarenner I'm not running 'dotnet', as I mentioned earlier:
^This seems to be a fifth option to your list. Would you not agree? If so, then I would prefer to continue using this option (as it works) until your option 3 is possible. The other options seem overkill given the current workaround and upcoming solution (also mentioned by @elbatk in #10800). |
Sorry, I interpreted your message as that you had also tried directly invoking dotnet and it worked. Completely agree. If you only build on Windows, then using the NuGetCommand task is definitely also a valid workaround and probably easiest. If you're building across multiple platforms, the other workarounds may be easier today and may closer match our recommendations in the future. I've updated my previous comment, thanks. |
We face the same problem. Unbelievable! |
@phil-hodgson |
We have just update our Azure DevOps server yesterday and seem to have the some problem with one of our projects that have been updated from .Net Core 2.2 to .Net Core 3.1. (We had the same issue before upgrading the DevOps server but thought it might solve the problem since this thread is quite old now). Any news on a fix to this problem? I've been through the entire thread and tried all solutions mentioned here with no luck. I have not tried edit the NuGet.Config file with the solution from MarkKharitonovs reply as I cannot find the location of this file in my solution or in my build pipiline. |
I don't think a If I remember correctly, Visual Studio looks for any file called Here is an example of one of my
|
I am having Similar problems I don't understand what is going on the I am running azure devops 2019 onprem the VSTS Agent is running as [DOMAIN]\svc_azureDevops I have followed these steps and added this user as owner of the Azure Artifacts feed and i still get get the credential issue above. |
If you're still experiencing auth issues, please add NuGet Authenticate task in the beginning of the pipeline. You may want to create a separate script that runs the dotnet command that you need if the dotnet task still isn't working after you've added the NuGet Authenticate task. If you're using the latest version of the on premise Azure DevOps Server, you can use the script described here to add the auth tasks to your on prem instance. |
Thanks, I figured out I needed to restart the VSTS Service Agent and the permissions were applied |
Hi, I am stuck with this issue again. This is only happening because I set up a new agent on a new server (WIndows 2019) on my original server which is also hosting Azure devops I do not have this issue. |
A co-worker found a work around. We used --force command argument described here which solved the issue.https://stackoverflow.com/questions/53430896/nuget-restore-fails-on-azure-devops-with-message-unable-to-load-the-service-ind |
Indeed had the same error when using dotnet restore task in yaml in Azure DevOps 2019 server . Agent service is running under service account instead I've replaced the dotnet restore task with a powershell task that uses the following code :
Here we are using a Nuget.config to list the sources used (one Azure Artifact feed and one Nuget.org) hope this workaround helps others |
I am also having the originally described issue. For now, I am using the NuGet restore work-around. |
@ChristoWolf, NuGet Authenticate task can be used with dotnet as well. In your yaml you can do something similar to below.
|
@satbai: Thanks for the hint, I of course also wanted to try that before posting, but I do not have that task available. |
Hi, got redirected here from by Microsoft trough a thread I created in Microsoft Developer Community. |
I'm still having this issue with dotnet 3.1. Am I supposed to make some workaround to get this to work? This has been as issue since May last year. |
I am using the Microsoft Visual Studio Team Foundation Server Version 16.131.28507.4. The package (.net core 3.1)was builded and published to TFS feed. I can reference to the package locally without any problem. I got same error when I setup the build for my project, the restore task failed on TFS. |
Please fix this problem on Azure DevOps Server - it has been open for over a year now. (dotnet 3.1) |
Azure DevOps Server 2020 release comes with the NuGet Authenticate task and the RC1 is out. |
Since I encountered the issue during a customer engagement and waiting for Azure DevOps Server 2020 is no option in our case, here's a workaround that seems to work for all .NET Core versions: Prerequisites:
Build the latest version of the DotNetCoreCLIV2 task:
Publish the task to your Azure DevOps collections:
These steps update the dotnet task that comes with the Azure DevOps server installation to the latest version. Any future update overwrites the manually installed task so there's no risk of applying this workaround. |
@ReneSchumacher Did you receive a response from the product group regarding the overwrite during an update. |
@timmkrause Sorry for not updating my comment properly. The PG was unsure so I ran my own tests and can confirm that future updates are indeed applied. I'll also update my original comment so all information is in one place. |
@ReneSchumacher The code on It seems line 75 needs to be changed from
to
Works on my machine certified. Do you think it makes sense to edit your solution/comment? |
This issue has been resolved with Azure DevOps Server 2020 and the task now works as expected:
|
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days |
Question, Bug, or Feature?
Type: Bug
Enter Task Name: DotNetCoreCLI
Environment
Server - Azure Pipelines
Agent - Private:
Issue Description
donet restore actions fail when using Azure Artifacts.
The generated tempNuGet.config key does not match the xml element in the packageSourceCredentials.
Task logs
error : Unable to load the service index for source
error : No credentials are available in the security package
log.txt
The text was updated successfully, but these errors were encountered: