NuGet restore using locked-mode fails signing verification

Which version of Duende IdentityServer are you using? 7.0.6

Which version of .NET are you using? 8.0.303

Describe the bug We are building our application using Linux (docker).

After upgrading from 7.0.5 to 7.0.6 we have started receiving NU3042 errors when trying to restore the packages for the application using locked-mode.

We cannot replicate this behaviour on Windows.

To Reproduce

Upgrade an application using 7.0.5 of Duende IdentityServer to 7.0.6. Build the application in Linux (docker) and use the following command to restore the NuGet packages: dotnet restore --locked-mode

Expected behavior

No error when restoring the Duende.IdentityServer packages using locked-mode.

Log output/exception with stacktrace

error NU3042: Warning As Error: Package 'Duende.IdentityServer.EntityFramework 7.0.6' from source 'https://<nuget server>/nuget/v3/index.json': The following X.509 root certificate is untrusted because it is not present in the certificate bundle at /usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem.  For more information, see documentation for NU3042.
error NU3042:     Subject:  CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
error NU3042:     Fingerprint (SHA-256):  7E76260AE69A55D3F060B0FD18B2A8C01443C87B60791030C9FA0B0585101A38
error NU3042:     Certificate (PEM):
error NU3042: -----BEGIN CERTIFICATE-----
error NU3042: MIIFeDCCA2CgAwIBAgIQSyw7AQGLrSq8jHtbPu2QVzANBgkqhkiG9w0BAQwFADBW
error NU3042: MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS0wKwYDVQQD
error NU3042: EyRTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgUm9vdCBSNDYwHhcNMjEwMzIy
error NU3042: MDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBWMQswCQYDVQQGEwJHQjEYMBYGA1UEChMP
error NU3042: U2VjdGlnbyBMaW1pdGVkMS0wKwYDVQQDEyRTZWN0aWdvIFB1YmxpYyBDb2RlIFNp
error NU3042: Z25pbmcgUm9vdCBSNDYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCN
error NU3042: 55QSIgQkdC7/FiMCkoq2rjaFrEfUI5ErPtx94jGgUW+shJHjUoq14pbe0IdjJImK
error NU3042: /+8Skzt9u7aKvb0Ffyeba2XTpQxpsbxJOZrxbW6q5KCDJ9qaDStQ6Utbs7hkNqR+
error NU3042: Sj2pcaths3OzPAsM79szV+W+NDfjlxtd/R8SPYIDdub7P2bSlDFp+m2zNKzBenjc
error NU3042: klDyZMeqLQSrw2rq4C+np9xu1+j/2iGrQL+57g2extmeme/G3h+pDHazJyCh1rr9
error NU3042: gOcB0u/rgimVcI3/uxXP/tEPNqIuTzKQdEZrRzUTdwUzT2MuuC3hv2WnBGsY2HH6
error NU3042: zAjybYmZELGt2z4s5KoYsMYHAXVn3m3pY2MeNn9pib6qRT5uWl+PoVvLnTCGMOgD
error NU3042: s0DGDQ84zWeoU4j6uDBl+m/H5x2xg3RpPqzEaDux5mczmrYI4IAFSEDu9oJkRqj1
error NU3042: c7AGlfJsZZ+/VVscnFcax3hGfHCqlBuCF6yH6bbJDoEcQNYWFyn8XJwYK+pF9e+9
error NU3042: 1WdPKF4F7pBMeufG9ND8+s0+MkYTIDaKBOq3qgdGnA2TOglmmVhcKaO5DKYwODzQ
error NU3042: RjY1fJy67sPV+Qp2+n4FG0DKkjXp1XrRtX8ArqmQqsV/AZwQsRb8zG4Y3G9i/qZQ
error NU3042: p7h7uJ0VP/4gDHXIIloTlRmQAOka1cKG8eOO7F/05QIDAQABo0IwQDAdBgNVHQ4E
error NU3042: FgQUMuuSmv81lkgvKEBCcCA2kVwXheYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB
error NU3042: /wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAHZlwuPXIkrXHYle/2lexhQCTXOm
error NU3042: zc0oyrA36r+nySGqql/av/aDbNCA0QpcAKTL88w5D55BcYjVPOiKe4wXI/fKNHSR
error NU3042: bAauUD8AWbImPDwXg1cDPi3RGj3UzwdUskMLUnKoiPXEF/Jv0Vil0WjkPZgIGO42
error NU3042: 9EhImvpUcPCI1HAWMEJJ0Nk/dUtFcdiuorthDoiFUFe5uhErNikfjyBynlyeidGC
error NU3042: 2kWNapnahHFrM6UQu3nwl/Z0gaA/V8eGjDCMDjiVrgHGHqvcqB9vL9f/dh6uF3Nt
error NU3042: 5bl1s2EGqJUzwk5vsjfylb6FVBK5yL1iQnb3Kvz1NzEDJlf+0ebb8BYCcoOMCLOE
error NU3042: rKnkB/ihiMQTWlBHVEKm7dBBNCyYsT6iNKEMXb2s9395p79tDFYyhRtLl7jhrOSk
error NU3042: PHHxo+FOY9b0Rrr1CwjhYzztolkvCtQsayOinqFN7tESzRgzUO1Bbst/PUFgC2ML
error NU3042: ePV170MVtzYLEK/cXBipmNk22R3YhLMGioLjexskp0LO7g8+VlwyfexL3lYrOzu6
error NU3042: +XpY0FG2bNb2WKJSJHpEhqEcYD9J0/z6+YQcBcI0v+Lm8RkqmS9WVzWctfUHw0Yv
error NU3042: 3jg9GQ37o/HfE57nqXJYMa+96trX1m13MzOO9Kz9wb9Jh9JwBWd0Bqb2eEAtFgSR
error NU3042: Dx/TFsS4ehcNJMmy
error NU3042: -----END CERTIFICATE-----

Additional context

We are using the standard dotnet 8.0-jammy sdk image as the base. All other packages used by the application are restoring successfully.

DuendeSoftware / Support

NuGet restore using locked-mode fails signing verification #1357