SDK regression in 3.0.101 and 3.1.100 for ASP.NET Core workloads

[jkotalik]

SDK regression in 3.0.101 and 3.1.100 for ASP.NET Core workloads

The 3.0.101 and 3.1.100 versions of the .NET Core SDK have a regression which potentially causes 2.2 and 3.0/3.1 dependencies to mismatch, causing applications to fail to start when running with IIS InProcess.

For discussion see dotnet/aspnetcore#17973.

Version introduced

.NET Core SDK 3.0.101

.NET Core SDK 3.1.100

Regression details

In 3.0, we introduced the concept of a FrameworkReference for ASP.NET Core. The FrameworkReference includes all the libraries that make up ASP.NET Core. See #325 for the motivation and reason behind this change. For all libraries that are referenced in the Microsoft.AspNetCore.App framework, we ignore references in your project of a lower version. For example, if a 2.2 version of Microsoft.AspNetCore.Server.Kestrel (one of the libraries in the framework) is also separately referenced by the application, we ignore the 2.2 version when building. These update rules are defined by the PlatformManifest.txt file is part of the SDK. Any library in that list has this behavior, earlier references to those libraries are ignored.

However, in 3.0.1 and 3.1.0, we introduced a regression which removed a few select references from the PlatformManifest.txt file by mistake.

Libraries that were removed from the PlatformManifest.txt between 3.0.0 and 3.0.1:

• aspnetcorev2_inprocess.dll (previously part of the Microsoft.AspNetCore.Server.IIS package)
• System.Drawing.Common.dll
• Microsoft.Win32.SystemEvents.dll
• System.Security.Cryptography.Pkcs.dll

Libraries that were added to the PlatformManifest.txt between 3.0.0 and 3.0.1:

• Microsoft.Win32.Registry.dll
• System.Security.AccessControl.dll
• System.Security.Cryptography.Cng.dll
• System.Security.Principal.Windows.dll

The libraries that were added to the PlatformManifest.txt shouldn't adversely affect applications. However, the dependencies removed do affect applications. In particular, the aspnetcorev2_inprocess.dll native library is critical to IIS in-process hosting. Issues with this have been reported in a few places (for example dotnet/aspnetcore#17662). We've now identified this is a broader regression.

If an application references (directly or transitively) a previous version of the Microsoft.AspNetCore.Server.IIS, System.Drawing.Common, Microsoft.Win32.SystemEvents, or System.Security.Cryptography.Pkcs package, it might deploy the older dependency rather than the 3.0/3.1 dependency. This can cause assembly load failures.

Workarounds

Users may work around this issue by doing one of the following:

Remove all direct and indirect references to the affected packages.

The following packages include the aspnetcorev2_inprocess.dll native library:

• Microsoft.AspNetCore
• Microsoft.AspNetCore.Server.IIS

Other affected libraries are contained in packages with the same name. See the above lists.

The resolution is to remove these package references from your application. Be aware that they may be transitive dependencies (dependencies of other packages you depend upon).

Avoid publishing incorrect package content

If you cannot remove earlier versions of the pacakges, you can explicitly suppress those packages from publishing using ExcludeAssets:

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>netcoreapp3.1</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Server.IIS" Version="2.2.6" ExcludeAssets="All" /> 
  </ItemGroup>

</Project>

We recommend clearing out bin/obj folders before building with the above fix.