dotnet tool restore started failing on macOS with NU3037 and NU3028 errors after 11th February #46857
Comments
dotnet-issue-labeler
bot
added
Area-NuGet
untriaged
|
Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue! If you believe this issue was closed out of error, please comment to let us know. Happy Coding! |
|
Tool restore isn't owned by NuGet so I've reopened this and tagged it correctly. |
|
The 'verify signing' error message is coming from the SDK directly: Based on the repository we downloaded the package from, we try to validate the package signature, but I'm wondering if a) we're doing this correctly and b) if we're adhering to the cc @nkolev92 for feedback on the signature validation process, and I guess @marcpopMSFT for thoughts on who we should get to dig into this more on our end? |
|
A few other notes:
|
|
Also pinging @dtivel who was dealing with signature checks for nuget packages previously. |
|
Repository thumbprints are periodically updated. the package in question is from 2021, so you may need to include updated thumbprints in your nuget.config. I might be totally wrong here, but take a look at this post: https://devblogs.microsoft.com/nuget/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-april-8th-2024/ |
|
I could try that out, but why would it only affect macOS? |
I think @dtivel might be more helpful here. |
|
FWIW, this is breaking macOS CI across most of my .NET projects because I rely on |
|
https://github.com/dotnet/sdk/blob/main/src/Layout/redist/trustedroots/codesignctl.pem @dtivel It looks like this needs to be updated since it hasnt been since June. I thought this was supposed to happen automagically? |
|
For servicing 9.0.200: sdk/src/Cli/dotnet/NugetPackageDownloader/NuGetPackageDownloader.cs Lines 142 to 154 in fcba596 |
nagilson
added
Priority:1
|
NuGet package signing verification is disabled on macOS by default, and it will remain that way for the foreseeable future. If you choose to enable it anyway, YMMV. It is not a supported scenario. See https://learn.microsoft.com/en-us/dotnet/core/tools/nuget-signed-package-verification#macos for details. Verification is disabled on macOS for two key reasons:
I keep them up to date manually. When the Trusted Root Program team has updates relevant for code signing, I update them here. There haven't been updates to code signing roots relevant to our scenarios since June. |
|
@joeloff, @nagilson, @marcpopMSFT, was signature verification enabled by default on macOS during |
|
For context, this wasn't explicitly enabled. It just stopped working around the date described above without anything being changed in my code. Forcing it off with the env var doesn't fix it either. It's just flat out broken now for some reason. |
|
Got it, @martincostello. Thank you for confirming. It sounds like there was a change that enabled it by default on macOS. |
Yes, I believe that was the case. |
|
If that's the case, the confusing part for me is why did it fail days after I merged the 9.0.200 SDK update? I'd have thought we'd have caught the problem through it failing CI in the PR (or in main immediately after merging if there was an inconsistency). |
|
Yeah, that's been the part that's been puzzling me too, @martincostello. |
But was this intentional or a regression? If it's still true that signature verification doesn't work reliably on macOS, it sounds like a regression. |
|
I'm having the same issue when building my app on the runner image macos-14 via azure pipelines since yesterday. Looks like DOTNET_NUGET_SIGNATURE_VERIFICATION is enabled in it's new version. Will your fix be installed on it or do I have modifications to do to avoid this problem ? |
|
@BouleDeGommme we'll need to make a fix and release a new version, and then the Azure Pipelines images will need to install that version. No timelines as of yet but we have devs working on it now. |
|
It sounds like macOS signature verification has never worked consistently. I wouldn't be surprised if we happened to enable it at a time when it was a bit more permissive, and Apple made a change to make it more secure, breaking this scenario. I think we should restrict signature verification to windows and linux by default. That'll be a small PR, so I'll go ahead and make it; then we can decide if we want it. |
|
@edvilme is working on a PR; discussed offline. |
|
I'm having the same issue when running Apologies if I missed it in the thread above, but is there a workaround for now? |
|
@mattspeterson For my pipeline using macos-14 image, i added a task installing .NET 7 -> It fixed my problem for now. |
|
This should be fixed by #47321 whenever that ships |
|
What was the missing piece of the puzzle on why this took a few days to kick in after I updated to the 9.0.200 SDK, rather than immediately? |
|
Is there an ETA for a release which includes #47321? |
After reading about it for a bit, I floated that Apple may have changed how they verified signatures, as apparently they've done that in the past. I think @joeloff mentioned having found something clearer? More generally, it sounds like it's a bad idea to be trying to verify signatures on mac. |
This is a perfectly valid question that I don't have a great answer to. I think I heard that it missed the upcoming release by a hair, so maybe in a month? I'm not really sure. |
Describe the bug
Since February 13th (👻), the CI in Polly when running on macOS has stopped working with the error shown below.
The strange thing is this doesn't seem to correlate with any specific code change to Polly itself. We had a successful build on February 11th after updating to the .NET 9.0.200 SDK here, so it doesn't seem to correlate nicely with a change in SDK behaviour.
The runner version doesn't appear to differ either, so that would presumably rule out a change in GitHub Actions:
I don't have access to a physical MacBook but two colleagues can replicate the failure on their machines by cloning the repo and running
dotnet tool restore.The things I don't really understand are:
I've experimented with a few things in this PR to try and get more information, but with no success: App-vNext/Polly#2496. Check out the commit history and workflow run logs for more detail. For example, setting
DOTNET_NUGET_SIGNATURE_VERIFICATION=falsehasn't helped.Seems like either it's failing on macOS when it shouldn't or it should be consistently failing on macOS, Linux and Windows if there is a genuine certificate trust issue.
I've also reported this here against the tool itself in case they've genuinely revoked a certificate or something, but again if that's the case I'd expect it to fail on all OSs: NuGetPackageExplorer/NuGetPackageExplorer#1698
To Reproduce
Clone App-vNext/Poll on a MacBook and run
dotnet tool restorefrom the root of the repository.Exceptions (if any)
Further technical details
The text was updated successfully, but these errors were encountered: