April 6th, 2021

.NET 5 NuGet Restore Failures on Linux distributions using NSS or ca-certificates

Jon Douglas
Principal Program Manager

We will be releasing updated builds of NuGet this week to accommodate NuGet restore failures on Linux distributions. The failures are observed when updated versions of the NSS or ca-certificates packages are installed. Users of .NET 5 and .NET 6 must upgrade to the latest .NET SDK builds in order to ensure continued functional use of the .NET SDK on Linux.

We observed a first round of NuGet failures on Debian distributions in January, 2021. This was due to an unfortunate confluence of events: the addition of package signature verification in .NET 5, the Microsoft Author Signing Certificate expiring, and the removal of trust of the VeriSign Universal Root Certificate Authority.

NuGet uses trusted timestamps to ensure long-term validity of signatures after the signing certificate expires. There has been an industry-wide movement to distrust the VeriSign Universal Root Certificate Authority, which affects the Symantec Time Stamping service, a popular issuer of trusted timestamps. If VeriSign is distrusted, NuGet will reject timestamps issued by Symantec, resulting in package signature verification to fail during your NuGet restore.

NuGet has historically relied on two key certificates:

The VeriSign Universal Root Certificate Authority has recently been removed from NSS and ca-certificates packages on various Linux distributions. To prevent a similar situation as in January, we are taking steps to prevent restore failures.

Updated .NET builds

New .NET builds will be provided with NuGet package verification disabled on Linux and macOS. The following releases are ones you’ll want to keep an eye on:

Please install these builds if you use .NET 5 or .NET 6 on Linux.

New container images will be published for Alpine, Debian, and Ubuntu on both of these dates for the respective releases.

Who is affected

.NET 5+ users using dotnet restore will be affected on any operating system that has removed the VeriSign Universal Root Certification Authority. We are maintaining a list of Linux distros that are known to be affected.

Who is not affected

The following scenarios are known to not be affected:

  • nuget CLI
  • dotnet CLI – .NET Core 3.1 and earlier
  • Visual Studio – .NET Core or .NET Framework
  • Mono

Closing

Security is very important to us. We are putting together a plan to use a new system that will allow us to re-enable package signing verification on all supported operating systems. We will have more to share on our future plans once we are sure that all systems are once again functional.

In the meantime, please see the following announcements to get the latest details:

Author

Jon Douglas
Principal Program Manager

Jon Douglas is a Principal Program Manager for NuGet at Microsoft. In his spare time he is most likely spending time with his family, performing comedy improv, or playing video games.

0 comments

Discussion are closed.