Closed kiddieverts closed 3 years ago
Related to https://github.com/NuGet/Home/issues/10491
having the same problem:
docker run -it --rm mcr.microsoft.com/dotnet/sdk:5.0-buster-slim
dotnet new console
dotnet add package Microsoft.Extensions.FileProviders.Physical --version 2.1.0```
looks like it's related to https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/
Found a workaround after reading this article:
https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/#client-policy
Create a file called NuGet.Config
in the project directory and add this text to it:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</author>
</trustedSigners>
</configuration>
Make sure there is a solution file so the Nuget.Config
file will be in the correct scope.
Update the Dockerfile:
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /app
COPY dktest.csproj .
# Make sure you copy the Nuget.Config file or else this will not work
COPY ./NuGet.Config .
# Make sure you copy the solution file or else this will not work
COPY ./dktest.sln .
RUN dotnet restore
COPY . .
RUN dotnet publish -c release -o /app --no-restore
FROM mcr.microsoft.com/dotnet/runtime:5.0
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["./dotnetapp"]
The workaround doesn't work if a package is not updated to use new signing certificate. For example, Microsoft.CSharp/4.7.0.
It seems I've got a working fix!
Put the following into your 'nuget.config` (at solution file level):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</author>
</trustedSigners>
</configuration>
Looks like allowUntrustedRoot="true"
does the trick. Probably it's not very secure but if you need it working right now - why not?
Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?
It works, but not for all packages. For example, SQLitePCLRaw.lib.e_sqlite3
still fails with NU3034 & NU3028
Same issue as #2548
I faced the same issue. The reply https://github.com/dotnet/dotnet-docker/issues/2548#issuecomment-768455505 helped me. In my Dockerfile I replaced two base images
FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-buster-slim AS build
with these ones
FROM mcr.microsoft.com/dotnet/aspnet:5.0-focal AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build
and it solved my problem.
You can find lists of available images on these Microsoft dockerhub pages https://hub.docker.com/_/microsoft-dotnet-aspnet https://hub.docker.com/_/microsoft-dotnet-sdk
same issue here! @OleksiiDesiatnichenko suggestion solved the issue
@ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to -focal
:
The problem lies in the SDK version, not the runtime:
Use mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim
to get the patched version from 10 hours ago.
Sources of info:
https://github.com/NuGet/Announcements/issues/49
https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/
https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md
Hi @davidzwa, is there a version of the buster
(non slim) image with the ca patch?
We're relying on some functionalities, like inotify, that seems not to work in the -slim
image.
@davidzwa, what image tag were you previously using? You should only need to use the ca-patch
tags if you were previously using a 5.0 debian sdk image.
Ah my bad @MichaelSimons, I was using buster-slim
to begin with.
The table in the link I sent https://github.com/NuGet/Announcements/issues/49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing:
https://hub.docker.com/_/microsoft-dotnet-sdk
@filariow please check that link to find the images available.
By my side my solution got tons of package issued from multiple publishers.
I've managed to get it working by adding cert signature (SHA256) and package owners <owners>
in NuGet.Config such as:
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</author>
<repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
<certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="CF7AC17AD047ECD5FDC36822031B12D4EF078B6F2B4C5E6BA41F8FF2CF4BAD67" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>microsoft;aspnet;nuget;domaindrivendev;dotnetframework</owners>
</repository>
</trustedSigners>
Certificate signatures and owners can be found in console output by changing verbosity level like this RUN dotnet restore "./project.csproj" -v d
@r-cass you're missing the fix by the docker image devs and solution I posted:
Ah my bad @MichaelSimons, I was using
buster-slim
to begin with. The table in the link I sent NuGet/Announcements#49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing: https://hub.docker.com/_/microsoft-dotnet-sdk@filariow please check that link to find the images available.
mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-*
images have the patch.
@davidzwa You're right, i didn't notice! I will try this one, thanks!
@ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to
-focal
:The problem lies in the SDK version, not the runtime: Use
mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim
to get the patched version from 10 hours ago.Sources of info:
https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/
https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md
That worked. Thanks!
Closing this as a duplicate of NuGet/Home#10491. Please follow the guidance at NuGet/Announcements#49, and specifically the workaround for users of the .NET Docker images at NuGet/Announcements#49 (comment).
Still having issues in dotnet restore .056 /usr/share/dotnet/sdk/6.0.200/NuGet.targets(130,5): error : The SSL connection could not be established, see inner exception
Describe the Bug
When I create a new dotnet app using
dotnet new console
and then dockerize the app and try to build the docker file I get many errors about author's signatures.(I get this error both in my CI pipeline and also running
docker build .
locally.)Steps to Reproduce
Make sure you are on dotnet 5
dotnet --version
I am running on
5.0.101
Run
mkdir dktest
Run
cd dktest
Run
dotnet new console
Edit dktest.csproj and add these lines inside the
<Project>
tag:create this Dockerfile:
Run
docker build .
Other Information
Here are the error message I get:
Output of
docker version
Client: Docker Engine - Community Cloud integration: 1.0.7 Version: 20.10.2 API version: 1.41 Go version: go1.13.15 Git commit: 2291f61 Built: Mon Dec 28 16:12:42 2020 OS/Arch: darwin/amd64 Context: default Experimental: true
Server: Docker Engine - Community Engine: Version: 20.10.2 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: 8891c58 Built: Mon Dec 28 16:15:28 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.3 GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc: Version: 1.0.0-rc92 GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff docker-init: Version: 0.19.0 GitCommit: de40ad0
Output of
docker info
Client: Context: default Debug Mode: false Plugins: app: Docker App (Docker Inc., v0.9.1-beta3) buildx: Build with BuildKit (Docker Inc., v0.5.1-docker) scan: Docker Scan (Docker Inc., v0.5.0)
Server: Containers: 19 Running: 2 Paused: 0 Stopped: 17 Images: 286 Server Version: 20.10.2 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff init version: de40ad0 Security Options: seccomp Profile: default Kernel Version: 4.19.121-linuxkit Operating System: Docker Desktop OSType: linux Architecture: x86_64 CPUs: 6 Total Memory: 7.778GiB Name: docker-desktop ID: W7I4:I2W7:3YAY:OVGQ:S5Y4:FPXT:A2AS:WHZH:YEGU:363R:YGN2:7K2O Docker Root Dir: /var/lib/docker Debug Mode: true File Descriptors: 57 Goroutines: 58 System Time: 2021-01-27T13:58:45.5826594Z EventsListeners: 3 HTTP Proxy: gateway.docker.internal:3128 HTTPS Proxy: gateway.docker.internal:3129 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false