问题
While doing a docker build on my .NET Core project, I got the following error on all my NuGets:
80.19 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3028: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/app/GradingTool.sln]
#12 80.20 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3037: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired. [/app/GradingTool.sln]
#12 80.20 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3028: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/app/GradingTool.sln]
I never had this error before, Can someone help me figure out what the problem is?
Dockerfile:
FROM mcr.microsoft.com/dotnet/sdk:latest AS build-env
WORKDIR /app
RUN apt-get update -yq \
&& apt-get install curl gnupg -yq \
&& curl -sL https://deb.nodesource.com/setup_10.x | bash \
&& apt-get install nodejs -yq
# Copy csproj and restore as distinct layers
COPY . ./
RUN dotnet restore
RUN dotnet publish -c Release -o out
# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:latest
RUN apt-get update \
&& apt-get install -y --no-install-recommends libgdiplus libc6-dev \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY --from=build-env /app/out .
ENV ASPNETCORE_URLS="http://+:4200"
ENV ASPNETCORE_ENVIRONMENT="Production"
ENV GOOGLE_APPLICATION_CREDENTIALS="Credentials/SchoolTools-e9f260bdf56e.json"
ENV VIRTUAL_HOST="eva.schooltools.lu,www.eva.schooltools.lu,schooltools.lu,www.schooltools.lu"
ENV LETSENCRYPT_HOST="eva.schooltools.lu,www.eva.schooltools.lu,schooltools.lu,www.schooltools.lu"
ENV LETSENCRYPT_EMAIL="wilson.silva@edutec.lu"
EXPOSE 4200
ENTRYPOINT ["dotnet", "GradingTool.dll"]
回答1:
In the Dockerfile file, I changed from
FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim
to
FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine
This worked for me!
回答2:
Update: Check this announcement: https://github.com/NuGet/Announcements/issues/49
At the moment the issue appears to be related to the Debian image.
Switch to an Ubuntu or Alpine based image instead:
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build-env
Follow https://github.com/NuGet/Home/issues/10491 for updates.
回答3:
As already mentioned the current updates of issue could be followed here:
https://github.com/NuGet/Home/issues/10491
To shorten your journey
Known workarounds include:
- Downgrade to .NET Core 3.1
- If using docker, change your base image from "FROM mcr.microsoft.com/dotnet/sdk:5.0" to " FROM mcr.microsoft.com/dotnet/sdk:5.0-focal" or " FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine"
- Put this inside the tag in your nuget.config to disable validation altogether (works with dotnet restore) :
<config> <add key="signatureValidationMode" value="accept" />
You can also check the status here: https://status.nuget.org/
回答4:
I think nuget.org is having some issues with their certificate. I'm currently getting the following for all NuGet packages from nuget.org
error NU3037: Package 'Microsoft.NETCore.Platforms 3.1.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
error NU3028: Package 'Microsoft.AspNetCore.Metadata 3.1.2' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
回答5:
Short answer
Replace mcr.microsoft.com/dotnet/sdk:latest
With mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim-amd64
Once they officially patch the certificate issue, go back to :latest.
Long answer
This is because of an issue in the Debian docker image you are using:
mcr.microsoft.com/dotnet/sdk:latest
The :latest tag is using a Debian image (5.0.102-1-buster-slim-amd64) and Debian released a patch that generated certificate issues.
The NuGet team published new pre-release Debian images that mitigate the ca-certificate issue. See the open issue & image replacements workarounds here:
https://github.com/NuGet/Announcements/issues/49#issuecomment-768766265
Later on they'll publish the release version of SDK images (once the Debian ca-certificates package is released in Debian 10 Buster).
Using the :focal tag (Ubuntu) might solve the issue for your .NET app as well, although you must consider you are not using Debian anymore.
LATEST UPDATE: Microsoft published patched docker images using the conventional tags like sdk:5.0. It is safe to revert from :5.0.102-ca-patch-buster-slim-amd64 to :5.0
回答6:
This change also works:
FROM mcr.microsoft.com/dotnet/sdk:5.0-focal
回答7:
Better to go from Debian to Ubuntu and skip Alpine as .net Regions and Cultures are missing from Alpine! i.e sdk:5.0-focal is your best bet and does indeed fix this problem.
回答8:
In case you don't want to change your base image, another way to fix this is to install the ca-certificates package.
Add this to your Dockerfile:
RUN echo "deb http://deb.debian.org/debian bullseye main" >> /etc/apt/sources.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& sed -i '$ d' /etc/apt/sources.list
Of course, this can be removed again as soon as the underlying issue is fixed.
来源:https://stackoverflow.com/questions/65919460/the-author-primary-signatures-timestamp-found-a-chain-building-issue-untrusted