Context
Users of .NET 5.0+ will receive error messages when running dotnet restore on Linux distros that include nss or ca-certificates packages.
Example:
error NU3028: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
error NU3037: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.
error NU3028: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain
The root cause is due to the certificate used for signed NuGet packages recently expiring and as a result the validation for packages uses a timestamp provider chain that has a root certificate that has been removed by Network Security Services (NSS) which is a popular alternative to OpenSSL.
For more information, please read the Distrust of Symantec TLS Certificates, and Symantec Issues.
Affected Environments
.NET 5.0+ SDK on Linux distros that use nss 3.63+.
At this time, we are not sure of every distro that may be affected. If you're aware of an affected distro, please let us know in a comment on NuGet/Home#10712
Below is a table that includes .NET support for Linux distros:
Linux
Additionally, here is a table of other Linux variants that may be affected but are not officially supported by .NET.
Other Linux distros
- At the time of writing, we believe other distributions will not be affected until a distribution is updated to include nss 3.63+.
Solution
Due to existing known issues with the .NET 5 signing verification feature & fallback of timestamp verification, we have decided to revoke this feature for Unix-based systems within .NET 5+ SDK. Therefore your experience of using dotnet restore will remain largely the same as it was in .NET Core 3.1.
New .NET builds will be provided with NuGet package verification disabled on Linux and macOS. The following releases are ones you'll want to keep an eye on:
Please install these builds if you use .NET 5 or .NET 6 on Linux.
New container images will be published for Alpine, Debian, and Ubuntu on both of these dates for the respective releases.
Stay updated
We recently blogged about this incident on the NuGet blog.
- We are continuing to investigate this issue and will let you know more as we find out.
- We will also continue posting updates on NuGet Status and @NuGet on Twitter.
Context
Users of .NET 5.0+ will receive error messages when running
dotnet restoreon Linux distros that include nss orca-certificatespackages.Example:
The root cause is due to the certificate used for signed NuGet packages recently expiring and as a result the validation for packages uses a timestamp provider chain that has a root certificate that has been removed by Network Security Services (NSS) which is a popular alternative to OpenSSL.
For more information, please read the Distrust of Symantec TLS Certificates, and Symantec Issues.
Affected Environments
.NET 5.0+ SDK on Linux distros that use nss 3.63+.
At this time, we are not sure of every distro that may be affected. If you're aware of an affected distro, please let us know in a comment on NuGet/Home#10712
Below is a table that includes .NET support for Linux distros:
Linux
Additionally, here is a table of other Linux variants that may be affected but are not officially supported by .NET.
Other Linux distros
Solution
Due to existing known issues with the .NET 5 signing verification feature & fallback of timestamp verification, we have decided to revoke this feature for Unix-based systems within .NET 5+ SDK. Therefore your experience of using
dotnet restorewill remain largely the same as it was in .NET Core 3.1.New .NET builds will be provided with NuGet package verification disabled on Linux and macOS. The following releases are ones you'll want to keep an eye on:
Please install these builds if you use .NET 5 or .NET 6 on Linux.
New container images will be published for Alpine, Debian, and Ubuntu on both of these dates for the respective releases.
Stay updated
We recently blogged about this incident on the NuGet blog.