{"id":1970,"date":"2021-04-06T09:03:22","date_gmt":"2021-04-06T16:03:22","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=1970"},"modified":"2021-04-06T09:03:22","modified_gmt":"2021-04-06T16:03:22","slug":"net-5-nuget-restore-failures-on-linux-distributions-using-nss-or-ca-certificates","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/net-5-nuget-restore-failures-on-linux-distributions-using-nss-or-ca-certificates\/","title":{"rendered":".NET 5 NuGet Restore Failures on Linux distributions using NSS or ca-certificates"},"content":{"rendered":"<p>We will be releasing updated builds of NuGet this week to accommodate <a href=\"https:\/\/github.com\/NuGet\/Announcements\/issues\/56\">NuGet restore failures on Linux distributions<\/a>. The failures are observed when updated versions of the <code>NSS<\/code> or <code>ca-certificates<\/code> packages are installed. Users of .NET 5 and .NET 6 must upgrade to the latest .NET SDK builds in order to ensure continued functional use of the .NET SDK on Linux.<\/p>\n<p>We observed a first round of <a href=\"https:\/\/github.com\/NuGet\/Announcements\/issues\/49\">NuGet failures on Debian distributions<\/a> in January, 2021. This was due to an unfortunate confluence of events: the addition of package signature verification in .NET 5, the <a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/microsoft-author-signing-certificate-update\/\">Microsoft Author Signing Certificate expiring<\/a>, and the removal of trust of the <code>VeriSign Universal Root Certificate Authority<\/code>.<\/p>\n<p>NuGet uses trusted timestamps to ensure long-term validity of signatures after the signing certificate expires. There has been an <a href=\"https:\/\/wiki.mozilla.org\/CA:Symantec_Issues\">industry-wide movement to distrust the <code>VeriSign Universal Root Certificate Authority<\/code><\/a>, which affects the Symantec Time Stamping service, a popular issuer of trusted timestamps. If VeriSign is distrusted, NuGet will reject timestamps issued by Symantec, resulting in package signature verification to fail during your NuGet restore.<\/p>\n<p>NuGet has historically relied on two key certificates:<\/p>\n<ul>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/microsoft-author-signing-certificate-update\/\">NuGet Microsoft Author Signing Certificate Update<\/a> &#8211; Expired January 27th, 2021<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-march-15th-2021\/\">NuGet.org Repository Signing Certificate Update<\/a> &#8211; Expires April 14th, 2021<\/li>\n<\/ul>\n<p>The <code>VeriSign Universal Root Certificate Authority<\/code> has recently been removed from <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1686854\">NSS<\/a> and <code>ca-certificates<\/code> packages on various Linux distributions. To prevent a similar situation as in January, we are taking steps to prevent restore failures.<\/p>\n<h2>Updated .NET builds<\/h2>\n<p>New .NET builds will be provided with NuGet package verification disabled on Linux and macOS. The following releases are ones you&#8217;ll want to keep an eye on:<\/p>\n<ul>\n<li><a href=\"https:\/\/dotnet.microsoft.com\/download\/dotnet\/5.0\">.NET SDK 5.0.202<\/a> &#8212; April 6, 2021.<\/li>\n<li><a href=\"https:\/\/dotnet.microsoft.com\/download\/dotnet\/6.0\">.NET 6 Preview 3<\/a> &#8212; April 8, 2021.<\/li>\n<\/ul>\n<p>Please install these builds if you use .NET 5 or .NET 6 on Linux.<\/p>\n<p>New <a href=\"https:\/\/hub.docker.com\/_\/microsoft-dotnet\">container images<\/a> will be published for Alpine, Debian, and Ubuntu on both of these dates for the respective releases.<\/p>\n<h2>Who is affected<\/h2>\n<p>.NET 5+ users using <code>dotnet restore<\/code> will be affected on any operating system that has removed the <code>VeriSign Universal Root Certification Authority<\/code>. We are maintaining a list of <a href=\"https:\/\/github.com\/NuGet\/Announcements\/issues\/56\">Linux distros that are known to be affected<\/a>.<\/p>\n<h2>Who is not affected<\/h2>\n<p>The following scenarios are known to not be affected:<\/p>\n<ul>\n<li><code>nuget CLI<\/code><\/li>\n<li><code>dotnet CLI<\/code> &#8211; .NET Core 3.1 and earlier<\/li>\n<li>Visual Studio &#8211; .NET Core or .NET Framework<\/li>\n<li>Mono<\/li>\n<\/ul>\n<h2>Closing<\/h2>\n<p>Security is very important to us. We are putting together a plan to use a new system that will allow us to re-enable package signing verification on all supported operating systems. We will have more to share on our future plans once we are sure that all systems are once again functional.<\/p>\n<p>In the meantime, please see the following announcements to get the latest details:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/dotnet\/announcements\/issues\/180\">https:\/\/github.com\/dotnet\/announcements\/issues\/180<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/NuGet\/Announcements\/issues\/56\">https:\/\/github.com\/NuGet\/Announcements\/issues\/56<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>We will be releasing updated builds of NuGet this week to accommodate NuGet restore failures on Linux distributions. The failures are observed when updated versions of the NSS or ca-certificates packages are installed. <\/p>\n","protected":false},"author":551,"featured_media":56238,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7929,7874,7928,326],"tags":[7617,7959,7886,92,104,7960],"class_list":["post-1970","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-incident","category-nuget","category-other-announcements","category-security","tag-dotnet-5","tag-net-5","tag-dotnet-restore","tag-linux","tag-nuget","tag-nuget-restore"],"acf":[],"blog_post_summary":"<p>We will be releasing updated builds of NuGet this week to accommodate NuGet restore failures on Linux distributions. The failures are observed when updated versions of the NSS or ca-certificates packages are installed. <\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/1970","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/551"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=1970"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/1970\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/56238"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=1970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=1970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=1970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}