The following X.509 root certificate is untrusted because it is not present in the certificate bundle issue in build pipeline after upgrade to 7.0.6

[SeppPenner]

Which version of Duende IdentityServer are you using?

7.0.6

Which version of .NET are you using?

.Net SDK 8.0.303

Describe the bug

Running dotnet restore -r win-x64 /builds/MyProject.sln leads to the following error:

/builds/MyProject.csproj : error NU3042: Warning As Error: Package 'Duende.IdentityServer 7.0.6' from source 'https://api.nuget.org/v3/index.json': The following X.509 root certificate is untrusted because it is not present in the certificate bundle at /usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem.  For more information, see documentation for NU3042. [/builds/MyProject.sln]

To Reproduce

Build a project with Net8 and <TreatWarningsAsErrors>true</TreatWarningsAsErrors> set in the project file and reference Duende.IdentityServer, Version 7.0.6.

Expected behavior

No issue with the X509 certificate is thrown.

Log output/exception with stacktrace

The paths in the log are shortened for brevity only.

/builds/MyProject.csproj : error NU3042: Warning As Error: Package 'Duende.IdentityServer 7.0.6' from source 'https://api.nuget.org/v3/index.json': The following X.509 root certificate is untrusted because it is not present in the certificate bundle at /usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem.  For more information, see documentation for NU3042. [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042:     Subject:  CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042:     Fingerprint (SHA-256):  7E76260AE69A55D3F060B0FD18B2A8C01443C87B60791030C9FA0B0585101A38 [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042:     Certificate (PEM): [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: -----BEGIN CERTIFICATE----- [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: MIIFeDCCA2CgAwIBAgIQSyw7AQGLrSq8jHtbPu2QVzANBgkqhkiG9w0BAQwFADBW [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS0wKwYDVQQD [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: EyRTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgUm9vdCBSNDYwHhcNMjEwMzIy [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: MDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBWMQswCQYDVQQGEwJHQjEYMBYGA1UEChMP [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: U2VjdGlnbyBMaW1pdGVkMS0wKwYDVQQDEyRTZWN0aWdvIFB1YmxpYyBDb2RlIFNp [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: Z25pbmcgUm9vdCBSNDYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCN [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: 55QSIgQkdC7/FiMCkoq2rjaFrEfUI5ErPtx94jGgUW+shJHjUoq14pbe0IdjJImK [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: /+8Skzt9u7aKvb0Ffyeba2XTpQxpsbxJOZrxbW6q5KCDJ9qaDStQ6Utbs7hkNqR+ [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: Sj2pcaths3OzPAsM79szV+W+NDfjlxtd/R8SPYIDdub7P2bSlDFp+m2zNKzBenjc [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: klDyZMeqLQSrw2rq4C+np9xu1+j/2iGrQL+57g2extmeme/G3h+pDHazJyCh1rr9 [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: gOcB0u/rgimVcI3/uxXP/tEPNqIuTzKQdEZrRzUTdwUzT2MuuC3hv2WnBGsY2HH6 [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: zAjybYmZELGt2z4s5KoYsMYHAXVn3m3pY2MeNn9pib6qRT5uWl+PoVvLnTCGMOgD [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: s0DGDQ84zWeoU4j6uDBl+m/H5x2xg3RpPqzEaDux5mczmrYI4IAFSEDu9oJkRqj1 [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: c7AGlfJsZZ+/VVscnFcax3hGfHCqlBuCF6yH6bbJDoEcQNYWFyn8XJwYK+pF9e+9 [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: 1WdPKF4F7pBMeufG9ND8+s0+MkYTIDaKBOq3qgdGnA2TOglmmVhcKaO5DKYwODzQ [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: RjY1fJy67sPV+Qp2+n4FG0DKkjXp1XrRtX8ArqmQqsV/AZwQsRb8zG4Y3G9i/qZQ [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: p7h7uJ0VP/4gDHXIIloTlRmQAOka1cKG8eOO7F/05QIDAQABo0IwQDAdBgNVHQ4E [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: FgQUMuuSmv81lkgvKEBCcCA2kVwXheYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: /wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAHZlwuPXIkrXHYle/2lexhQCTXOm [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: zc0oyrA36r+nySGqql/av/aDbNCA0QpcAKTL88w5D55BcYjVPOiKe4wXI/fKNHSR [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: bAauUD8AWbImPDwXg1cDPi3RGj3UzwdUskMLUnKoiPXEF/Jv0Vil0WjkPZgIGO42 [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: 9EhImvpUcPCI1HAWMEJJ0Nk/dUtFcdiuorthDoiFUFe5uhErNikfjyBynlyeidGC [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: 2kWNapnahHFrM6UQu3nwl/Z0gaA/V8eGjDCMDjiVrgHGHqvcqB9vL9f/dh6uF3Nt [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: 5bl1s2EGqJUzwk5vsjfylb6FVBK5yL1iQnb3Kvz1NzEDJlf+0ebb8BYCcoOMCLOE [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: rKnkB/ihiMQTWlBHVEKm7dBBNCyYsT6iNKEMXb2s9395p79tDFYyhRtLl7jhrOSk [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: PHHxo+FOY9b0Rrr1CwjhYzztolkvCtQsayOinqFN7tESzRgzUO1Bbst/PUFgC2ML [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: ePV170MVtzYLEK/cXBipmNk22R3YhLMGioLjexskp0LO7g8+VlwyfexL3lYrOzu6 [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: +XpY0FG2bNb2WKJSJHpEhqEcYD9J0/z6+YQcBcI0v+Lm8RkqmS9WVzWctfUHw0Yv [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: 3jg9GQ37o/HfE57nqXJYMa+96trX1m13MzOO9Kz9wb9Jh9JwBWd0Bqb2eEAtFgSR [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: Dx/TFsS4ehcNJMmy [/builds/MyProject.sln]
/builds/MyProject.csproj : error NU3042: -----END CERTIFICATE----- [/builds/MyProject.sln]

Additional context

Gitlab CI / CD pipeline.

[RolandGuijt]

Our NuGet packages are signed with a Sectigo certificate. Most of the time this is implicitly trusted, but in your environment it probably has to be trusted explicitly. Please see this doc for more information.

[RolandGuijt]

@SeppPenner Did this solve the issue for you? If so I would like to close.

[SeppPenner]

It seems like updating the underlying dotnet resolved the issue without having the need to explicitely trust the certificate as described in the docs.

This is solved :)