NuGet repository signature certificate will expire on April 14th, 2021

[JonDouglas]

Context

At 5:00AM PST on April 14th, 2021, the NuGet repository signing certificate will expire. This certificate is used to verify the content integrity of a package and protect against content tampering. When the signing certificate expires, it will fallback to a timestamp for verification.

For packages that have not been automatically re-signed by NuGet.org with an updated certificate, you may be affected by .NET 5 NuGet Restore Failures on Linux distributions using NSS or ca-certificates. Only a subset of NuGet.org packages have been re-signed with a new certificate since March 15th, 2021. Packages published to NuGet.org after March 15th, 2021 will include a new certificate and will not be affected.

Given that the NuGet Microsoft author signing certificate has already expired, you may have already ran into this issue if you have a Microsoft author signed package in your environment and may already be aware of this change in behavior & resolved it.

For reference of the different types of NuGet signatures:

• Author signature. An author signature guarantees that the package has not been modified since the author signed the package, no matter from which repository or what transport method the package is delivered. Additionally, author-signed packages provide an extra authentication mechanism to the nuget.org publishing pipeline because the signing certificate must be registered ahead of time.
• Repository signature. Repository signatures provide an integrity guarantee for all packages in a repository whether they are author signed or not, even if those packages are obtained from a different location than the original repository where they were signed.

What we expect

We expect that Linux environments that adopt the certificate changes in nss & ca-certificates packages will cause some interruption when this repository signing certificate expires. As certificate changes are brought into stable & preview Linux releases such as Ubuntu Hirsute Hippo(21.04), Arch Linux, and others, this issue may appear when not using .NET SDK 5.0.202+.

We do not expect any new breakage on 4/14 as a result.

Symptoms

Your Linux environment may give you error messages when running dotnet restore such as:

error NU3028: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

error NU3037: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.

error NU3028: Package 'System.Memory 4.5.3' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

This indicates that your environment is affected by an upstream change to nss or ca-certificates packages and you'll need to update your .NET SDK to resolve it.

Solution

New .NET builds have been provided with NuGet package verification disabled on Linux and macOS.

• .NET SDK 5.0.202
• .NET 6 Preview 3

It is recommended that you update to these builds as soon as you can to mitigate disruption on Linux environments.

Details

For more details on this incident, see the following resources:

• Notice: .NET 5 NuGet Restore Failures on Linux distributions using NSS or ca-certificates #56
• https://devblogs.microsoft.com/nuget/net-5-nuget-restore-failures-on-linux-distributions-using-nss-or-ca-certificates/
• NuGet package restore broken on .NET 5+ with Removal of Trust of VeriSign CA dotnet/announcements#180

If you run into this issue after April 14th, 2021, please provide a comment on NuGet/Home#10712