作者主签名的时间戳发现了一个链构建问题: 证书链中的 Untrust dRoot: self 签名证书

当我在做.NET Core 项目的 docker 构建时,我在所有 NuGets 上都得到了以下错误:

80.19/app/gradingTool.测试/分级工具。Csproj: error NU3028: Package‘ Microsoft。EntityFrameworkCore 5.0.0’from source“ https://api.nuget.org/v3/index.json”: 作者的主要签名的时间戳发现了一个链式构建问题: Untrust dRoot: 在证书链中的自签名证书[/app/gradingTool.sln ]

# 1280.20/app/gradingTool.测试/分级工具。Csproj: error NU3037: Package‘ Microsoft。EntityFrameworkCore 5.0.0’源代码“ https://api.nuget.org/v3/index.json”: 作者的主要签名有效期已过。[/app/gradingTool.sln ]

# 1280.20/app/gradingTool.测试/分级工具。Csproj: error NU3028: Package‘ Microsoft。源代码中的 EntityFrameworkCore 5.0.0’“ https://api.nuget.org/v3/index.json”: 存储库副签名的时间戳发现了一个链式构建问题: Untrust dRoot: 在证书链中的自签名证书[/app/gradingTool.sln ]

我以前从没犯过这样的错误, 有人能帮我找出问题所在吗?

文件:

FROM mcr.microsoft.com/dotnet/sdk:latest AS build-env
WORKDIR /app
RUN apt-get update -yq \
&& apt-get install curl gnupg -yq \
&& curl -sL https://deb.nodesource.com/setup_10.x | bash \
&& apt-get install nodejs -yq
# Copy csproj and restore as distinct layers
COPY . ./
RUN dotnet restore
RUN dotnet publish -c Release -o out


# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:latest
RUN apt-get update \
&& apt-get install -y --no-install-recommends libgdiplus libc6-dev \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY --from=build-env /app/out .
ENV ASPNETCORE_URLS="http://+:4200"
ENV ASPNETCORE_ENVIRONMENT="Production"
ENV GOOGLE_APPLICATION_CREDENTIALS="Credentials/SchoolTools-e9f260bdf56e.json"
ENV VIRTUAL_HOST="eva.schooltools.lu,www.eva.schooltools.lu,schooltools.lu,www.schooltools.lu"
ENV LETSENCRYPT_HOST="eva.schooltools.lu,www.eva.schooltools.lu,schooltools.lu,www.schooltools.lu"
ENV LETSENCRYPT_EMAIL="wilson.silva@edutec.lu"
EXPOSE 4200
ENTRYPOINT ["dotnet", "GradingTool.dll"]
20298 次浏览
小开

I think nuget.org is having some issues with their certificate. I'm currently getting the following for all NuGet packages from nuget.org

error NU3037: Package 'Microsoft.NETCore.Platforms 3.1.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.

error NU3028: Package 'Microsoft.AspNetCore.Metadata 3.1.2' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

小开

Update: Check this announcement: https://github.com/NuGet/Announcements/issues/49

At the moment the issue appears to be related to the Debian image.

Switch to an Ubuntu or Alpine based image instead:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build-env

Follow https://github.com/NuGet/Home/issues/10491 for updates.

小开

As already mentioned the current updates of issue could be followed here:
https://github.com/NuGet/Home/issues/10491
To shorten your journey
Known workarounds include:

  • Downgrade to .NET Core 3.1
  • If using docker, change your base image from "FROM mcr.microsoft.com/dotnet/sdk:5.0" to " FROM mcr.microsoft.com/dotnet/sdk:5.0-focal" or " FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine"
  • Put this inside the tag in your nuget.config to disable validation altogether (works with dotnet restore) :

<config> <add key="signatureValidationMode" value="accept" />

You can also check the status here: https://status.nuget.org/

小开
最佳答案

In the Dockerfile file, I changed from

FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim

to

FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine

This worked for me!

小开

Short answer

Replace mcr.microsoft.com/dotnet/sdk:latest

With mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim-amd64

Once they officially patch the certificate issue, go back to :latest.

Long answer

This is because of an issue in the Debian docker image you are using: mcr.microsoft.com/dotnet/sdk:latest

The :latest tag is using a Debian image (5.0.102-1-buster-slim-amd64) and Debian released a patch that generated certificate issues.

The NuGet team published new pre-release Debian images that mitigate the ca-certificate issue. See the open issue & image replacements workarounds here:

https://github.com/NuGet/Announcements/issues/49#issuecomment-768766265

Later on they'll publish the release version of SDK images (once the Debian ca-certificates package is released in Debian 10 Buster).

Using the :focal tag (Ubuntu) might solve the issue for your .NET app as well, although you must consider you are not using Debian anymore.

LATEST UPDATE: Microsoft published patched docker images using the conventional tags like sdk:5.0. It is safe to revert from :5.0.102-ca-patch-buster-slim-amd64 to :5.0

小开

This change also works:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal
小开

Better to go from Debian to Ubuntu and skip Alpine as .net Regions and Cultures are missing from Alpine! i.e sdk:5.0-focal is your best bet and does indeed fix this problem.

小开

In case you don't want to change your base image, another way to fix this is to install the ca-certificates package.

Add this to your Dockerfile:

RUN echo "deb http://deb.debian.org/debian bullseye main" >> /etc/apt/sources.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& sed -i '$ d' /etc/apt/sources.list

Of course, this can be removed again as soon as the underlying issue is fixed.

小开

I encountered below error in dotnet sdk 5.0.201.

error NU3037: Package 'Microsoft.EntityFrameworkCore.Sqlite 5.0.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature validity period has expired.

After I update the sdk to 5.0.401 and rebuild it then it is working fine.


提交答案