Home: Not able to push packages to DevOps artifacts using Dotnet Nuget Push

Relevant docs are here: https://docs.microsoft.com/en-us/azure/devops/artifacts/nuget/publish?view=azure-devops
Not sure if the new credential provider would also help: https://github.com/Microsoft/artifacts-credprovider

@alexmullans

@rrelyea I followed again (I did that before) the steps you mentioned and some extra work.

I leave the steps because it might be useful for someone else (This is for MAC and Azure DevOps):

1 - Follow steps in here:
https://docs.microsoft.com/en-us/azure/devops/artifacts/nuget/publish?view=azure-devops

2 - Install new credential provider:
https://github.com/Microsoft/artifacts-credprovider

3 - Generate PAT as in here:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops

4 - Add the following nuget.config value on same path where nuget.exe or script that using nuget.exe or dotnet nuget:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <clear />
    <add key="MyFeed" value="https://pkgs.dev.azure.com/MyOrganization/_packaging/MyFeed/nuget/v3/index.json" />
  </packageSources>
  <packageSourceCredentials>
    <MyFeed>
      <add key="Username" value="UsernameInDevops - I think it is always an email address" />
      <add key="ClearTextPassword" value="PAT Obtained in Step 3" />
    </MyFeed>
  </packageSourceCredentials>
</configuration>

Use ClearTextPassword in Nuget.config instead of Password because encrypted password is not supported ...

5 - Finally run the command:

dotnet nuget push MyPackage.nupkg --source MyFeed --api-key key

Question that remains

Isn't there a way to not use Nuget.config and include everything in dotnet push, e.g.:

dotnet nuget push 
  MyPackage.nupkg 
  --source https://pkgs.dev.azure.com/MyOrganization/_packaging/MyFeed/nuget/v3/index.json 
  --api-key MyPat

When trying this I wasn't able to make it work as I stumbled in a problem:
https://github.com/NuGet/Home/issues/7519

But again I would not want to sign in manually ...

I suppose it would be necessary to pass Username and Password but I do not see those options in donet nuget push command ...

@alexmullans should be able to review and advise. you should not need clear text password, i believe.

@rrelyea that's right. With the right version of dotnet (2.1.400 or greater, though latest is always preferable), as long as you've installed the cred provider using the readme instructions, which it sounds like you have, push should show a device flow prompt in the logs when you run the dotnet nuget push command with only the --source and --api-key.

Any movement on this?

Indeed following the steps described by @rrelyea using the microsoft/dotnet:2.2-sdk docker image, I can confirm that we still get Response status code does not indicate success: 401 (Unauthorized).

I ran into an issue with dotnet nuget pushing to an Azure Artifacts feed in Azure Devops Server 2019 that turned out to be a bug in the 2.1 .NET Core CLI which has been fixed in 3.0 preview builds. I was able to resolve by splitting my Azure Pipeline into a Build Job which runs in the .NET Core 2.1 SDK container and a Push job which runs in the 3.0 SDK container. If it's of use to any of you, my (rather hefty) pipeline is shared below:

###########################################################
### Change these values when copying this pipeline      ###
### Pipeline additionally requires these variables-     ###
###   $(My.Endpoint)                                    ###
###   $(My.GuidEndpoint)                                ###
###   $(My.User)                                        ###
###   $(My.PAT)                                         ###
###########################################################
variables:
  BuildConfiguration: Release
  Project.File.Path: MyLibrary.csproj
  Project.Assembly.Name: MyLibrary
  Project.Version: '1.0.0'
###########################################################
name: $(Project.Version)-$(Date:yyyyMMdd)$(Rev:rr)
resources:
  containers:
  - container: NetCoreSDK21
    image: mcr.microsoft.com/dotnet/core/sdk:2.1
    # We must manually map the agent work folder until a resolution for this issue: https://github.com/microsoft/azure-pipelines-tasks/issues/11137 flows into Azure Devops Server
    options: -v /home/azpagent/agent/_work:/__w/
  - container: NetCoreSdk30
    image: mcr.microsoft.com/dotnet/core/sdk:3.0
trigger:
  batch: true
  branches:
    include:
    - develop
    - release/*
  paths:
    exclude:
    - ReadMe.md
jobs:
- job: Build
  container: NetCoreSDK21
  steps:
  - script: |
      echo "##vso[task.setvariable variable=NuGet.CredentialProvider.SessionTokenCache.Enabled]true"
      echo "##vso[task.setvariable variable=Dotnet.System.Net.Http.UseSocketsHttpHandler]0"
      echo "##vso[task.setvariable variable=NuGet.Authentication.Types]basic"
    displayName: Set container environment variables
  - script: |
      ENDPOINTSTRING="{\"endpointCredentials\": [{\"endpoint\":\"$(My.Endpoint))\", \"username\":\"$(My.User)\", \"password\":\"${MAPPED_SECRET}\"},{\"endpoint\":\"$(My.GuidEndpoint)\", \"username\":\"$(My.User)\", \"password\":\"${MAPPED_SECRET}\"}]}"
      echo "##vso[task.setvariable variable=Vss.NuGet.External.Feed.EndPoints]${ENDPOINTSTRING}"
    displayName: Set NuGet feed credentials
    env:
      MAPPED_SECRET: $(My.PAT)
  - script: wget -O - https://raw.githubusercontent.com/Microsoft/artifacts-credprovider/master/helpers/installcredprovider.sh  | bash
    displayName: 'Install artifacts credential provider'
  - script: dotnet restore $(Project.File.Path) -s "$(My.GuidEndpoint)" -s "https://api.nuget.org/v3/index.json"
    displayName: 'Dotnet restore'
  - task: DotNetCoreCLI@2
    displayName: 'Dotnet build'
    inputs:
      projects: '$(Project.File.Path)'
      arguments: '-c $(BuildConfiguration) --no-restore'
  - task: DotNetCoreCLI@2
    displayName: 'Dotnet pack'
    inputs:
      command: pack
      nobuild: true
      includesymbols: true
      versioningScheme: byEnvVar
      versionEnvVar: 'BUILD_BUILDNUMBER'
      verbosityPack: Normal
  - task: PublishBuildArtifacts@1
    displayName: 'Publish Artifact: NuGetPackage'
    inputs:
      ArtifactName: NuGetPackage
- job: Push
  dependsOn: Build
  container: NetCoreSdk30
  steps:
  - task: DownloadBuildArtifacts@0
    displayName: 'Download Build Artifacts'
    inputs:
      artifactName: NuGetPackage
  - script: |
      echo "##vso[task.setvariable variable=NuGet.CredentialProvider.SessionTokenCache.Enabled]true"
      echo "##vso[task.setvariable variable=Dotnet.System.Net.Http.UseSocketsHttpHandler]0"
      echo "##vso[task.setvariable variable=NuGet.Authentication.Types]basic"
    displayName: Set container environment variables
  - script: |
      ENDPOINTSTRING="{\"endpointCredentials\": [{\"endpoint\":\"$(My.Endpoint))\", \"username\":\"$(My.User)\", \"password\":\"${MAPPED_SECRET}\"},{\"endpoint\":\"$(My.GuidEndpoint)\", \"username\":\"$(My.User)\", \"password\":\"${MAPPED_SECRET}\"}]}"
      echo "##vso[task.setvariable variable=Vss.NuGet.External.Feed.EndPoints]${ENDPOINTSTRING}"
    displayName: Set NuGet feed credentials
    env:
      MAPPED_SECRET: $(My.PAT)
  - script: wget -O - https://raw.githubusercontent.com/Microsoft/artifacts-credprovider/master/helpers/installcredprovider.sh  | bash
    displayName: 'Install artifacts credential provider'
  - script: dotnet nuget push $(Build.ArtifactStagingDirectory)/NuGetPackage/$(Project.Assembly.Name).$(Build.BuildNumber).nupkg -s "$(My.GuidEndpoint)" --api-key "AzureDevopsServer"
    displayName: 'Dotnet NuGet Push to Azure Artifacts'

Ran into the same issue, ended up manually installing nuget. Hope this helps:

...
- pwsh: |
    # Manually install nuget
    Invoke-WebRequest "https://dist.nuget.org/win-x86-commandline/v4.7.1/nuget.exe" -outfile nuget.exe

    # Add source with password and username (updates nuget.config
    nuget.exe sources add -name <azure artifacts feed name> -source "https://pkgs.dev.azure.com/<organization>/<azure artifacts feed name>/_packaging/<azure artifacts feed name>/nuget/v3/index.json" -username whatever -password <your pat here>

    # Push
    nuget.exe push <package> -source <azure artifacts feed name> -apikey whatever
...

Why doesn't the following work?

dotnet nuget push 
   --source https://pkgs.dev.azure.com/MyOrganization/_packaging/MyFeed/nuget/v2
   --api-key MyPAT 
   MyPackage.nupkg

--api-key works for some feeds (e.g Nuget.org) but not for others (e.g Azure Artifacts feeds). For the latter kind of feed you need to specify password. Unfortunately password isn't accepted by the dotnet nuget or nuget CLIs so you have to set it in a nuget.config. Easiest way to update nuget.config is nuget sources add ....

@aortiz-msft note to sync with partners about this.

Here are the steps I have taken on a Linux distro, elementary OS 5.1.4 Hera, running .NET Core 3.1 in order to successfully push a NuGet package to a feed hosted by Azure Artifacts:

• Enable Azure Artifacts for my project hosted by Azure DevOps
• Create an Azure Artifacts feed named nuget-feed-v2
• Create a nuget.config file at the root of my solution folder containing 2 sources: one pointing to the Azure Artifacts feed and another pointing to the official NuGet feed, thus resulting a file like below:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <clear />
        <add key="nuget-feed-v2"
             value="https://pkgs.dev.azure.com/satrapu/aspnet-core-logging/_packaging/nuget-feed-v2/nuget/v3/index.json"
             protocolVersion="3" />
        <add key="nuget.org"
             value="https://api.nuget.org/v3/index.json"
             protocolVersion="3" />
    </packageSources>
</configuration>

• Install Azure Artifacts Credential Provider via the provided Linux script
• Restore packages using dotnet restore command
• Publish one of the downloaded NuGet packages (Core.Castle v4.4.0) via:

 dotnet nuget push /home/satrapu/.nuget/packages/castle.core/4.4.0/castle.core.4.4.0.nupkg \
    --source "nuget-feed-v2" \
    --skip-duplicate \
    --interactive \
    --api-key SomeRandomValueRequiredByTheTool

The --interactive argument is needed to guide in creating a token for authenticating against the feed; this token will be automatically uploaded under the appropriate Azure DevOps user account - in my case, the name of this personal access token is Azure DevOps Artifacts Credential Provider.

The --api-key SomeRandomValueRequiredByTheTool argument is mandatory, but its value, in my case SomeRandomValueRequiredByTheTool, can be some random string, it doesn't represent any real API key/token.

After the above command finishes successfully, I can see the Core.Castle 4.4.0 NuGet package in my feed.

After all local NuGet packages have been pushed, I can safely comment or remove the nuget.org source from my nuget.config file and use Azure Artifacts feed only.

Bumping on this one I just ran into it.
I was able to have it work using the nuget.exe bin which prompt me for authentication without failure.