Dotnet-docker: Nuget errors when restoring dotnet app inside Docker

Created on 27 Jan 2021  路  18Comments  路  Source: dotnet/dotnet-docker

Describe the Bug

When I create a new dotnet app using dotnet new console and then dockerize the app and try to build the docker file I get many errors about author's signatures.

(I get this error both in my CI pipeline and also running docker build . locally.)

Steps to Reproduce

Make sure you are on dotnet 5

dotnet --version

I am running on 5.0.101

Run mkdir dktest

Run cd dktest

Run dotnet new console

Edit dktest.csproj and add these lines inside the <Project> tag:

 <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="5.0.1" NoWarn="NU3028" />
  </ItemGroup>

create this Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /source

COPY *.csproj .
RUN dotnet restore

COPY . .
RUN dotnet publish -c release -o /app --no-restore

FROM mcr.microsoft.com/dotnet/runtime:5.0
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["./dotnetapp"]

Run docker build .

Other Information

Here are the error message I get:

/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
  Failed to restore /source/dktest.csproj (in 4.09 sec).
The command '/bin/sh -c dotnet restore' returned a non-zero code: 1

Output of docker version

Client: Docker Engine - Community
Cloud integration: 1.0.7
Version: 20.10.2
API version: 1.41
Go version: go1.13.15
Git commit: 2291f61
Built: Mon Dec 28 16:12:42 2020
OS/Arch: darwin/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.2
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 8891c58
Built: Mon Dec 28 16:15:28 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.3
GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.19.0
GitCommit: de40ad0

Output of docker info

Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
scan: Docker Scan (Docker Inc., v0.5.0)

Server:
Containers: 19
Running: 2
Paused: 0
Stopped: 17
Images: 286
Server Version: 20.10.2
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.121-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 7.778GiB
Name: docker-desktop
ID: W7I4:I2W7:3YAY:OVGQ:S5Y4:FPXT:A2AS:WHZH:YEGU:363R:YGN2:7K2O
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 57
Goroutines: 58
System Time: 2021-01-27T13:58:45.5826594Z
EventsListeners: 3
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

area-samples bug untriaged

Most helpful comment

I faced the same issue. The reply https://github.com/dotnet/dotnet-docker/issues/2548#issuecomment-768455505 helped me.
In my Dockerfile I replaced two base images

FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-buster-slim AS build

with these ones

FROM mcr.microsoft.com/dotnet/aspnet:5.0-focal AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build

and it solved my problem.

You can find lists of available images on these Microsoft dockerhub pages
https://hub.docker.com/_/microsoft-dotnet-aspnet
https://hub.docker.com/_/microsoft-dotnet-sdk

All 18 comments

having the same problem:

docker run -it --rm mcr.microsoft.com/dotnet/sdk:5.0-buster-slim dotnet new console dotnet add package Microsoft.Extensions.FileProviders.Physical --version 2.1.0

looks like it's related to https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/

Found a workaround after reading this article:

https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/#client-policy

Create a file called NuGet.Config in the project directory and add this text to it:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>

  <config>
    <add key="signatureValidationMode" value="require" />
  </config>

  <trustedSigners>
    <author name="Microsoft">
      <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
      <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    </author>
  </trustedSigners>

</configuration>

Make sure there is a solution file so the Nuget.Config file will be in the correct scope.

Update the Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /app

COPY dktest.csproj .
# Make sure you copy the Nuget.Config file or else this will not work
COPY ./NuGet.Config .
# Make sure you copy the solution file or else this will not work
COPY ./dktest.sln . 

RUN dotnet restore

COPY . .

RUN dotnet publish -c release -o /app --no-restore

FROM mcr.microsoft.com/dotnet/runtime:5.0
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["./dotnetapp"]

The workaround doesn't work if a package is not updated to use new signing certificate. For example, Microsoft.CSharp/4.7.0.

It seems I've got a working fix!

Put the following into your 'nuget.config` (at solution file level):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>

  <config>
    <add key="signatureValidationMode" value="accept" />
  </config>

  <trustedSigners>
    <author name="Microsoft">
      <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
    </author>
  </trustedSigners>

</configuration>

Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?

Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?

It works, but not for all packages. For example, SQLitePCLRaw.lib.e_sqlite3 still fails with NU3034 & NU3028

Same issue as #2548

I faced the same issue. The reply https://github.com/dotnet/dotnet-docker/issues/2548#issuecomment-768455505 helped me.
In my Dockerfile I replaced two base images

FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-buster-slim AS build

with these ones

FROM mcr.microsoft.com/dotnet/aspnet:5.0-focal AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build

and it solved my problem.

You can find lists of available images on these Microsoft dockerhub pages
https://hub.docker.com/_/microsoft-dotnet-aspnet
https://hub.docker.com/_/microsoft-dotnet-sdk

same issue here! @OleksiiDesiatnichenko suggestion solved the issue

@ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to -focal:

The problem lies in the SDK version, not the runtime:
Use mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim to get the patched version from 10 hours ago.

Sources of info:

https://github.com/NuGet/Announcements/issues/49

https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/

https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md

Hi @davidzwa, is there a version of the buster (non slim) image with the ca patch?
We're relying on some functionalities, like inotify, that seems not to work in the -slim image.

@davidzwa, what image tag were you previously using? You should only need to use the ca-patch tags if you were previously using a 5.0 debian sdk image.

Ah my bad @MichaelSimons, I was using buster-slim to begin with.
The table in the link I sent https://github.com/NuGet/Announcements/issues/49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing:
https://hub.docker.com/_/microsoft-dotnet-sdk

@filariow please check that link to find the images available.

By my side my solution got tons of package issued from multiple publishers.
I've managed to get it working by adding cert signature (SHA256) and package owners <owners> in NuGet.Config such as:

<trustedSigners>
    <author name="Microsoft">
      <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
    </author>
    <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
      <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <certificate fingerprint="CF7AC17AD047ECD5FDC36822031B12D4EF078B6F2B4C5E6BA41F8FF2CF4BAD67" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      <owners>microsoft;aspnet;nuget;domaindrivendev;dotnetframework</owners>
    </repository>
  </trustedSigners>

Certificate signatures and owners can be found in console output by changing verbosity level like this RUN dotnet restore "./project.csproj" -v d

@r-cass you're missing the fix by the docker image devs and solution I posted:

Ah my bad @MichaelSimons, I was using buster-slim to begin with.
The table in the link I sent NuGet/Announcements#49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing:
https://hub.docker.com/_/microsoft-dotnet-sdk

@filariow please check that link to find the images available.

mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-* images have the patch.

@davidzwa You're right, i didn't notice! I will try this one, thanks!

@ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to -focal:

The problem lies in the SDK version, not the runtime:
Use mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim to get the patched version from 10 hours ago.

Sources of info:

NuGet/Announcements#49

https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/

https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md

That worked. Thanks!

Closing this as a duplicate of NuGet/Home#10491. Please follow the guidance at NuGet/Announcements#49, and specifically the workaround for users of the .NET Docker images at NuGet/Announcements#49 (comment).

Was this page helpful?
0 / 5 - 0 ratings