.NET 5 NuGet Restore Failures on Linux distributions using NSS or ca-certificates
We will be releasing updated builds of NuGet this week to accommodate NuGet restore failures on Linux distributions. The failures are observed when updated versions of the
ca-certificates packages are installed. Users of .NET 5 and .NET 6 must upgrade to the latest .NET SDK builds in order to ensure continued functional use of the .NET SDK on Linux.
We observed a first round of NuGet failures on Debian distributions in January, 2021. This was due to an unfortunate confluence of events: the addition of package signature verification in .NET 5, the Microsoft Author Signing Certificate expiring, and the removal of trust of the
VeriSign Universal Root Certificate Authority.
NuGet uses trusted timestamps to ensure long-term validity of signatures after the signing certificate expires. There has been an industry-wide movement to distrust the
VeriSign Universal Root Certificate Authority, which affects the Symantec Time Stamping service, a popular issuer of trusted timestamps. If VeriSign is distrusted, NuGet will reject timestamps issued by Symantec, resulting in package signature verification to fail during your NuGet restore.
NuGet has historically relied on two key certificates:
- NuGet Microsoft Author Signing Certificate Update – Expired January 27th, 2021
- NuGet.org Repository Signing Certificate Update – Expires April 14th, 2021
VeriSign Universal Root Certificate Authority has recently been removed from NSS and
ca-certificates packages on various Linux distributions. To prevent a similar situation as in January, we are taking steps to prevent restore failures.
Updated .NET builds
New .NET builds will be provided with NuGet package verification disabled on Linux and macOS. The following releases are ones you’ll want to keep an eye on:
- .NET SDK 5.0.202 — April 6, 2021.
- .NET 6 Preview 3 — April 8, 2021.
Please install these builds if you use .NET 5 or .NET 6 on Linux.
New container images will be published for Alpine, Debian, and Ubuntu on both of these dates for the respective releases.
Who is affected
.NET 5+ users using
dotnet restore will be affected on any operating system that has removed the
VeriSign Universal Root Certification Authority. We are maintaining a list of Linux distros that are known to be affected.
Who is not affected
The following scenarios are known to not be affected:
dotnet CLI– .NET Core 3.1 and earlier
- Visual Studio – .NET Core or .NET Framework
Security is very important to us. We are putting together a plan to use a new system that will allow us to re-enable package signing verification on all supported operating systems. We will have more to share on our future plans once we are sure that all systems are once again functional.
In the meantime, please see the following announcements to get the latest details: