Gounlaf
commented
3 years ago Related to https://github.com/NuGet/Home/issues/10491
Closed kiddieverts closed 3 years ago
Gounlaf
commented
3 years ago Related to https://github.com/NuGet/Home/issues/10491
ajuch
commented
3 years ago having the same problem:
docker run -it --rm mcr.microsoft.com/dotnet/sdk:5.0-buster-slim
dotnet new console
dotnet add package Microsoft.Extensions.FileProviders.Physical --version 2.1.0```
looks like it's related to https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/
kiddieverts
commented
3 years ago Found a workaround after reading this article:
https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/#client-policy
Create a file called NuGet.Config in the project directory and add this text to it:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</author>
</trustedSigners>
</configuration>Make sure there is a solution file so the Nuget.Config file will be in the correct scope.
Update the Dockerfile:
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /app
COPY dktest.csproj .
# Make sure you copy the Nuget.Config file or else this will not work
COPY ./NuGet.Config .
# Make sure you copy the solution file or else this will not work
COPY ./dktest.sln .
RUN dotnet restore
COPY . .
RUN dotnet publish -c release -o /app --no-restore
FROM mcr.microsoft.com/dotnet/runtime:5.0
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["./dotnetapp"]
withkittens
commented
3 years ago The workaround doesn't work if a package is not updated to use new signing certificate. For example, Microsoft.CSharp/4.7.0.
kapitanov
commented
3 years ago It seems I've got a working fix!
Put the following into your 'nuget.config` (at solution file level):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</author>
</trustedSigners>
</configuration>Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?
DCNick3
commented
3 years ago Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?
It works, but not for all packages. For example, SQLitePCLRaw.lib.e_sqlite3 still fails with NU3034 & NU3028
codelikemmk
commented
3 years ago Same issue as #2548
olekdes
commented
3 years ago I faced the same issue. The reply https://github.com/dotnet/dotnet-docker/issues/2548#issuecomment-768455505 helped me. In my Dockerfile I replaced two base images
FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-buster-slim AS buildwith these ones
FROM mcr.microsoft.com/dotnet/aspnet:5.0-focal AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS buildand it solved my problem.
You can find lists of available images on these Microsoft dockerhub pages https://hub.docker.com/_/microsoft-dotnet-aspnet https://hub.docker.com/_/microsoft-dotnet-sdk
ciacco85
commented
3 years ago same issue here! @OleksiiDesiatnichenko suggestion solved the issue
davidzwa
commented
3 years ago @ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to -focal:
The problem lies in the SDK version, not the runtime:
Use mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim to get the patched version from 10 hours ago.
Sources of info:
https://github.com/NuGet/Announcements/issues/49
https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/
https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md
filariow
commented
3 years ago Hi @davidzwa, is there a version of the buster (non slim) image with the ca patch?
We're relying on some functionalities, like inotify, that seems not to work in the -slim image.
MichaelSimons
commented
3 years ago @davidzwa, what image tag were you previously using? You should only need to use the ca-patch tags if you were previously using a 5.0 debian sdk image.
davidzwa
commented
3 years ago Ah my bad @MichaelSimons, I was using buster-slim to begin with.
The table in the link I sent https://github.com/NuGet/Announcements/issues/49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing:
https://hub.docker.com/_/microsoft-dotnet-sdk
@filariow please check that link to find the images available.
r-cass
commented
3 years ago By my side my solution got tons of package issued from multiple publishers.
I've managed to get it working by adding cert signature (SHA256) and package owners <owners> in NuGet.Config such as:
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</author>
<repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
<certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="CF7AC17AD047ECD5FDC36822031B12D4EF078B6F2B4C5E6BA41F8FF2CF4BAD67" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>microsoft;aspnet;nuget;domaindrivendev;dotnetframework</owners>
</repository>
</trustedSigners>Certificate signatures and owners can be found in console output by changing verbosity level like this RUN dotnet restore "./project.csproj" -v d
davidzwa
commented
3 years ago @r-cass you're missing the fix by the docker image devs and solution I posted:
Ah my bad @MichaelSimons, I was using
buster-slimto begin with. The table in the link I sent NuGet/Announcements#49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing: https://hub.docker.com/_/microsoft-dotnet-sdk@filariow please check that link to find the images available.
mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-* images have the patch.
r-cass
commented
3 years ago @davidzwa You're right, i didn't notice! I will try this one, thanks!
lnaie
commented
3 years ago @ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to
-focal:The problem lies in the SDK version, not the runtime: Use
mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slimto get the patched version from 10 hours ago.Sources of info:
https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/
https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md
That worked. Thanks!
MichaelSimons
commented
3 years ago Closing this as a duplicate of NuGet/Home#10491. Please follow the guidance at NuGet/Announcements#49, and specifically the workaround for users of the .NET Docker images at NuGet/Announcements#49 (comment).
Subodh-frnd02
commented
3 months ago Still having issues in dotnet restore .056 /usr/share/dotnet/sdk/6.0.200/NuGet.targets(130,5): error : The SSL connection could not be established, see inner exception
Describe the Bug
When I create a new dotnet app using
dotnet new consoleand then dockerize the app and try to build the docker file I get many errors about author's signatures.(I get this error both in my CI pipeline and also running
docker build .locally.)Steps to Reproduce
Make sure you are on dotnet 5
dotnet --versionI am running on
5.0.101Run
mkdir dktestRun
cd dktestRun
dotnet new consoleEdit dktest.csproj and add these lines inside the
<Project>tag:create this Dockerfile:
Run
docker build .Other Information
Here are the error message I get:
Output of
docker versionClient: Docker Engine - Community Cloud integration: 1.0.7 Version: 20.10.2 API version: 1.41 Go version: go1.13.15 Git commit: 2291f61 Built: Mon Dec 28 16:12:42 2020 OS/Arch: darwin/amd64 Context: default Experimental: true
Server: Docker Engine - Community Engine: Version: 20.10.2 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: 8891c58 Built: Mon Dec 28 16:15:28 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.3 GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc: Version: 1.0.0-rc92 GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff docker-init: Version: 0.19.0 GitCommit: de40ad0
Output of
docker infoClient: Context: default Debug Mode: false Plugins: app: Docker App (Docker Inc., v0.9.1-beta3) buildx: Build with BuildKit (Docker Inc., v0.5.1-docker) scan: Docker Scan (Docker Inc., v0.5.0)
Server: Containers: 19 Running: 2 Paused: 0 Stopped: 17 Images: 286 Server Version: 20.10.2 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff init version: de40ad0 Security Options: seccomp Profile: default Kernel Version: 4.19.121-linuxkit Operating System: Docker Desktop OSType: linux Architecture: x86_64 CPUs: 6 Total Memory: 7.778GiB Name: docker-desktop ID: W7I4:I2W7:3YAY:OVGQ:S5Y4:FPXT:A2AS:WHZH:YEGU:363R:YGN2:7K2O Docker Root Dir: /var/lib/docker Debug Mode: true File Descriptors: 57 Goroutines: 58 System Time: 2021-01-27T13:58:45.5826594Z EventsListeners: 3 HTTP Proxy: gateway.docker.internal:3128 HTTPS Proxy: gateway.docker.internal:3129 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false