Closed sabinaqurbanova closed 3 months ago
@erdembayar
@sabinaqurbanova Thank you for creating this issue.
dotnet --version
details and VS
version?nuget.config
file in it?
If yes then does it have trustedSigners
section in it?
Or check your detault one %AppData%\NuGet\NuGet.config
dotnet nuget verify system.security.accesscontrol.4.7.0.nupkg -v d
from C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\system.security.accesscontrol\4.7.0
and share with us?Alternatively you can create issue with https://learn.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio?view=vs-2022 where it picks up necessary ambient information during feedback creation.
1) "dotnet --version" result:
C:\Users\sabina>dotnet --version
8.0.101
My VS version: Visual Studio 2022 v17.8.5
2) content of "%AppData%\NuGet\NuGet.config" is:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
</configuration>
i ddnt understand what u mean with: "Could you please check code repository root has a nuget.config file in it?", what means "code repository root"?
3) result of "dotnet nuget verify":
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\system.security.accesscontrol\4.7.0\system.security.accesscontrol.4.7.0.nupkg
Signature Hash Algorithm: SHA256
Signature type: Author
Verifying the author primary signature with certificate:
Subject Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
SHA1 hash: F404000FB11E61F446529981C7059A76C061631E
SHA256 hash: 3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE
Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Valid from: 26.02.2018 04:00:00 to 27.01.2021 16:00:00
trace: Subject Name: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
trace: SHA256 hash: 51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862
trace: Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 22.10.2013 17:00:00 to 22.10.2028 16:00:00
trace: Subject Name: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
trace: SHA256 hash: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
trace: Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 10.11.2006 04:00:00 to 10.11.2031 04:00:00
Timestamp: 15.11.2019 13:52:52
Verifying author primary signature's timestamp with timestamping service certificate:
Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0
SHA256 hash: C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8
Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Valid from: 23.12.2017 04:00:00 to 23.03.2029 03:59:59
trace: Subject Name: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
trace: SHA1 hash: 6FC9EDB5E00AB64151C1CDFCAC74AD2C7B7E3BE4
trace: SHA256 hash: F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A
trace: Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace: Valid from: 12.01.2016 04:00:00 to 12.01.2031 03:59:59
trace: Subject Name: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace: SHA1 hash: 3679CA35668772304D30A5FB873B0FA77BB70D54
trace: SHA256 hash: 2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C
trace: Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace: Valid from: 02.04.2008 05:00:00 to 02.12.2037 03:59:59
debug: author primary signature's timestamp
Signature type: Repository
Service index: https://api.nuget.org/v3/index.json
Owners: dotnetframework, Microsoft
Verifying the repository countersignature with certificate:
Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Valid from: 10.04.2018 04:00:00 to 14.04.2021 16:00:00
trace: Subject Name: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
trace: SHA256 hash: 51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862
trace: Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 22.10.2013 17:00:00 to 22.10.2028 16:00:00
trace: Subject Name: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
trace: SHA256 hash: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
trace: Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 10.11.2006 04:00:00 to 10.11.2031 04:00:00
Timestamp: 03.12.2019 20:41:56
Verifying repository countersignature's timestamp with timestamping service certificate:
Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0
SHA256 hash: C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8
Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Valid from: 23.12.2017 04:00:00 to 23.03.2029 03:59:59
trace: Subject Name: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
trace: SHA1 hash: 6FC9EDB5E00AB64151C1CDFCAC74AD2C7B7E3BE4
trace: SHA256 hash: F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A
trace: Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace: Valid from: 12.01.2016 04:00:00 to 12.01.2031 03:59:59
trace: Subject Name: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace: SHA1 hash: 3679CA35668772304D30A5FB873B0FA77BB70D54
trace: SHA256 hash: 2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C
trace: Issued by: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
trace: Valid from: 02.04.2008 05:00:00 to 02.12.2037 03:59:59
debug: repository countersignature's timestamp
Finished with 4 errors and 4 warnings.
error: NU3037: The author primary signature validity period has expired.
error: NU3028: The author primary signature's timestamping certificate is not trusted by the trust provider.
warn : NU3028: The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode.
warn : NU3028: The author primary signature's timestamp found a chain building issue: RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
error: NU3037: The repository countersignature validity period has expired.
error: NU3028: The repository countersignature's timestamping certificate is not trusted by the trust provider.
warn : NU3028: The repository countersignature's timestamp found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode.
warn : NU3028: The repository countersignature's timestamp found a chain building issue: RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Package signature validation failed.
@sabinaqurbanova It looks like there is problem with Timestamp server certificate.
i ddnt understand what u mean with: "Could you please check code repository root has a nuget.config file in it?", what means "code repository root"?
The term "code repository root" refers to the top-level directory of a code repository where all the files and folders related to a project are stored. In version control systems like Git, the repository root is the starting point of your project's file structure and includes all the branches, tags, and commits that constitute the project's history.
Open Windows’ “manage computer certificates” app, and go to the certificates in the “trusted root certificate authorities” folder. There I can find that same “DigiCert Assured ID Root CA” and "VeriSign Universal Root Certification Authority" with same details as your log. When I open it and look at the details, I see the signature algorithm is SHA1 and the thumbprint matches the SHA1 hash that the dotnet nuget verify command above output.
You can use powershell script too, then thumbprints should match SHA1 from your log, see redmarked ones 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
, 3679CA35668772304D30A5FB873B0FA77BB70D54
, if you're missing them then you need to manually install them using pem/pfx file from respective root cert provider:
Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*DigiCert Assured ID Root CA*"} | Select-Object Thumbprint
Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*VeriSign Universal Root Certification Authority*"} | Select-Object Thumbprint
@sabinaqurbanova
It looks like there is problem with Timestamp server certificate.
i ddnt understand what u mean with: "Could you please check code repository root has a nuget.config file in it?", what means "code repository root"?
The term "code repository root" refers to the top-level directory of a code repository where all the files and folders related to a project are stored. In version control systems like Git, the repository root is the starting point of your project's file structure and includes all the branches, tags, and commits that constitute the project's history.
Open Windows’ “manage computer certificates” app, and go to the certificates in the “trusted root certificate authorities” folder. There I can find that same “DigiCert Assured ID Root CA” and "VeriSign Universal Root Certification Authority" with same details as your log. When I open it and look at the details, I see the signature algorithm is SHA1 and the thumbprint matches the SHA1 hash that the dotnet nuget verify command above output.
You can use powershell script too, then thumbprints should match SHA1 from your log, see redmarked ones
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
,3679CA35668772304D30A5FB873B0FA77BB70D54
, if you're missing them then you need to manually install them using pem/pfx file from respective root cert provider:Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*DigiCert Assured ID Root CA*"} | Select-Object Thumbprint Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*VeriSign Universal Root Certification Authority*"} | Select-Object Thumbprint
thanks, verisign cert which u mentioned has fixed my problem.
@sabinaqurbanova Thank you for letting us know, based on your feedback we're closing this issue.
Impact
I'm unable to use NuGet.org
Describe the bug
Hi. I cant download packages from NuGet, im getting an errors like below in screenshot:![1111111111](https://github.com/NuGet/NuGetGallery/assets/125729415/18fdef07-5758-454f-befe-1f6e485804f1)
This is result of "dotnet nuget verify" command:
Repro Steps
...
Expected Behavior
...
Screenshots
...
Additional Context and logs
...