When I create a new dotnet app using dotnet new console and then dockerize the app and try to build the docker file I get many errors about author's signatures.
(I get this error both in my CI pipeline and also running docker build . locally.)
Make sure you are on dotnet 5
dotnet --version
I am running on 5.0.101
Run mkdir dktest
Run cd dktest
Run dotnet new console
Edit dktest.csproj and add these lines inside the <Project> tag:
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="5.0.1" NoWarn="NU3028" />
</ItemGroup>
create this Dockerfile:
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /source
COPY *.csproj .
RUN dotnet restore
COPY . .
RUN dotnet publish -c release -o /app --no-restore
FROM mcr.microsoft.com/dotnet/runtime:5.0
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["./dotnetapp"]
Run docker build .
Here are the error message I get:
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Logging 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.CSharp 4.5.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Tokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'System.Security.Cryptography.Cng 4.5.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.JsonWebTokens 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'Microsoft.IdentityModel.Protocols.OpenIdConnect 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3028: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
/source/dktest.csproj : error NU3037: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
/source/dktest.csproj : error NU3028: Package 'System.IdentityModel.Tokens.Jwt 6.7.1' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
Failed to restore /source/dktest.csproj (in 4.09 sec).
The command '/bin/sh -c dotnet restore' returned a non-zero code: 1
docker versionClient: Docker Engine - Community
Cloud integration: 1.0.7
Version: 20.10.2
API version: 1.41
Go version: go1.13.15
Git commit: 2291f61
Built: Mon Dec 28 16:12:42 2020
OS/Arch: darwin/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.2
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 8891c58
Built: Mon Dec 28 16:15:28 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.3
GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker infoClient:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
scan: Docker Scan (Docker Inc., v0.5.0)
Server:
Containers: 19
Running: 2
Paused: 0
Stopped: 17
Images: 286
Server Version: 20.10.2
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.121-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 7.778GiB
Name: docker-desktop
ID: W7I4:I2W7:3YAY:OVGQ:S5Y4:FPXT:A2AS:WHZH:YEGU:363R:YGN2:7K2O
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 57
Goroutines: 58
System Time: 2021-01-27T13:58:45.5826594Z
EventsListeners: 3
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Related to https://github.com/NuGet/Home/issues/10491
having the same problem:
docker run -it --rm mcr.microsoft.com/dotnet/sdk:5.0-buster-slim
dotnet new console
dotnet add package Microsoft.Extensions.FileProviders.Physical --version 2.1.0
looks like it's related to https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/
Found a workaround after reading this article:
https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/#client-policy
Create a file called NuGet.Config in the project directory and add this text to it:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
<config>
<add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</author>
</trustedSigners>
</configuration>
Make sure there is a solution file so the Nuget.Config file will be in the correct scope.
Update the Dockerfile:
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /app
COPY dktest.csproj .
# Make sure you copy the Nuget.Config file or else this will not work
COPY ./NuGet.Config .
# Make sure you copy the solution file or else this will not work
COPY ./dktest.sln .
RUN dotnet restore
COPY . .
RUN dotnet publish -c release -o /app --no-restore
FROM mcr.microsoft.com/dotnet/runtime:5.0
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["./dotnetapp"]
The workaround doesn't work if a package is not updated to use new signing certificate. For example, Microsoft.CSharp/4.7.0.
It seems I've got a working fix!
Put the following into your 'nuget.config` (at solution file level):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</author>
</trustedSigners>
</configuration>
Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?
Looks like allowUntrustedRoot="true" does the trick. Probably it's not very secure but if you need it working right now - why not?
It works, but not for all packages. For example, SQLitePCLRaw.lib.e_sqlite3 still fails with NU3034 & NU3028
Same issue as #2548
I faced the same issue. The reply https://github.com/dotnet/dotnet-docker/issues/2548#issuecomment-768455505 helped me.
In my Dockerfile I replaced two base images
FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-buster-slim AS build
with these ones
FROM mcr.microsoft.com/dotnet/aspnet:5.0-focal AS base
...
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build
and it solved my problem.
You can find lists of available images on these Microsoft dockerhub pages
https://hub.docker.com/_/microsoft-dotnet-aspnet
https://hub.docker.com/_/microsoft-dotnet-sdk
same issue here! @OleksiiDesiatnichenko suggestion solved the issue
@ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to -focal:
The problem lies in the SDK version, not the runtime:
Use mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim to get the patched version from 10 hours ago.
Sources of info:
https://github.com/NuGet/Announcements/issues/49
https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/
https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md
Hi @davidzwa, is there a version of the buster (non slim) image with the ca patch?
We're relying on some functionalities, like inotify, that seems not to work in the -slim image.
@davidzwa, what image tag were you previously using? You should only need to use the ca-patch tags if you were previously using a 5.0 debian sdk image.
Ah my bad @MichaelSimons, I was using buster-slim to begin with.
The table in the link I sent https://github.com/NuGet/Announcements/issues/49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing:
https://hub.docker.com/_/microsoft-dotnet-sdk
@filariow please check that link to find the images available.
By my side my solution got tons of package issued from multiple publishers.
I've managed to get it working by adding cert signature (SHA256) and package owners <owners> in NuGet.Config such as:
<trustedSigners>
<author name="Microsoft">
<certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</author>
<repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
<certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="F3516DDCC8AFC808788BD8B0E840BDA2B5E23C6244252CA3000BB6C87170402A" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<certificate fingerprint="CF7AC17AD047ECD5FDC36822031B12D4EF078B6F2B4C5E6BA41F8FF2CF4BAD67" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>microsoft;aspnet;nuget;domaindrivendev;dotnetframework</owners>
</repository>
</trustedSigners>
Certificate signatures and owners can be found in console output by changing verbosity level like this RUN dotnet restore "./project.csproj" -v d
@r-cass you're missing the fix by the docker image devs and solution I posted:
Ah my bad @MichaelSimons, I was using
buster-slimto begin with.
The table in the link I sent NuGet/Announcements#49 contains info about Debian based containers. Please try and find the answers there or the dockerhub listing:
https://hub.docker.com/_/microsoft-dotnet-sdk@filariow please check that link to find the images available.
mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-* images have the patch.
@davidzwa You're right, i didn't notice! I will try this one, thanks!
@ciacco85 @OleksiiDesiatnichenko There's a better solution, you dont have to switch to
-focal:The problem lies in the SDK version, not the runtime:
Usemcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slimto get the patched version from 10 hours ago.Sources of info:
https://www.reddit.com/r/dotnet/comments/l69swx/microsoft_nuget_packages_certificate_expiration/
https://github.com/dotnet/dotnet-docker/blob/master/README.sdk.md
That worked. Thanks!
Closing this as a duplicate of NuGet/Home#10491. Please follow the guidance at NuGet/Announcements#49, and specifically the workaround for users of the .NET Docker images at NuGet/Announcements#49 (comment).
Most helpful comment
I faced the same issue. The reply https://github.com/dotnet/dotnet-docker/issues/2548#issuecomment-768455505 helped me.
In my Dockerfile I replaced two base images
with these ones
and it solved my problem.
You can find lists of available images on these Microsoft dockerhub pages
https://hub.docker.com/_/microsoft-dotnet-aspnet
https://hub.docker.com/_/microsoft-dotnet-sdk