NuGet repository signature certificate will expire on April 14th, 2021
JonDouglas opened this issue · 0 comments
Context
At 5:00AM PST on April 14th, 2021, the NuGet repository signing certificate will expire. This certificate is used to verify the content integrity of a package and protect against content tampering. When the signing certificate expires, it will fallback to a timestamp for verification.
For packages that have not been automatically re-signed by NuGet.org with an updated certificate, you may be affected by .NET 5 NuGet Restore Failures on Linux distributions using NSS or ca-certificates. Only a subset of NuGet.org packages have been re-signed with a new certificate since March 15th, 2021. Packages published to NuGet.org after March 15th, 2021 will include a new certificate and will not be affected.
Given that the NuGet Microsoft author signing certificate has already expired, you may have already ran into this issue if you have a Microsoft author signed package in your environment and may already be aware of this change in behavior & resolved it.
For reference of the different types of NuGet signatures:
- Author signature. An author signature guarantees that the package has not been modified since the author signed the package, no matter from which repository or what transport method the package is delivered. Additionally, author-signed packages provide an extra authentication mechanism to the nuget.org publishing pipeline because the signing certificate must be registered ahead of time.
- Repository signature. Repository signatures provide an integrity guarantee for all packages in a repository whether they are author signed or not, even if those packages are obtained from a different location than the original repository where they were signed.
What we expect
We expect that Linux environments that adopt the certificate changes in nss & ca-certificates
packages will cause some interruption when this repository signing certificate expires. As certificate changes are brought into stable & preview Linux releases such as Ubuntu Hirsute Hippo(21.04), Arch Linux, and others, this issue may appear when not using .NET SDK 5.0.202+.
We do not expect any new breakage on 4/14 as a result.
Symptoms
Your Linux environment may give you error messages when running dotnet restore
such as:
error NU3028: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
error NU3037: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
error NU3028: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
This indicates that your environment is affected by an upstream change to nss or ca-certificates
packages and you'll need to update your .NET SDK to resolve it.
Solution
New .NET builds have been provided with NuGet package verification disabled on Linux and macOS.
It is recommended that you update to these builds as soon as you can to mitigate disruption on Linux environments.
Details
For more details on this incident, see the following resources:
- #56
- https://devblogs.microsoft.com/nuget/net-5-nuget-restore-failures-on-linux-distributions-using-nss-or-ca-certificates/
- dotnet/announcements#180
If you run into this issue after April 14th, 2021, please provide a comment on NuGet/Home#10712