The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

While doing a docker build on my .NET Core project, I got the following error on all my NuGets:

> 80.19 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3028: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json';: The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/app/GradingTool.sln] > > #12 80.20 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3037: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json';: The author primary signature validity period has expired. [/app/GradingTool.sln] > > #12 80.20 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3028: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json';: The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/app/GradingTool.sln]

I never had this error before, Can someone help me figure out what the problem is?

Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:latest AS build-env
WORKDIR /app
RUN apt-get update -yq \
    && apt-get install curl gnupg -yq \
    && curl -sL https://deb.nodesource.com/setup_10.x | bash \
    && apt-get install nodejs -yq
# Copy csproj and restore as distinct layers
COPY . ./
RUN dotnet restore
RUN dotnet publish -c Release -o out

# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:latest
RUN apt-get update \
    && apt-get install -y --no-install-recommends libgdiplus libc6-dev \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY --from=build-env /app/out .
ENV ASPNETCORE_URLS="http://+:4200"
ENV ASPNETCORE_ENVIRONMENT="Production"
ENV GOOGLE_APPLICATION_CREDENTIALS="Credentials/SchoolTools-e9f260bdf56e.json"
ENV VIRTUAL_HOST="eva.schooltools.lu,www.eva.schooltools.lu,schooltools.lu,www.schooltools.lu"
ENV LETSENCRYPT_HOST="eva.schooltools.lu,www.eva.schooltools.lu,schooltools.lu,www.schooltools.lu"
ENV LETSENCRYPT_EMAIL="[email protected]"
EXPOSE 4200
ENTRYPOINT ["dotnet", "GradingTool.dll"]

Update: Check this announcement: https://github.com/NuGet/Announcements/issues/49

At the moment the issue appears to be related to the Debian image.

Switch to an Ubuntu or Alpine based image instead:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build-env

Follow https://github.com/NuGet/Home/issues/10491 for updates.

In the Dockerfile file, I changed from

FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim

to

FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine

This worked for me!

Short answer

Replace mcr.microsoft.com/dotnet/sdk:latest

With mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim-amd64

Once they officially patch the certificate issue, go back to :latest.

Long answer

This is because of an issue in the Debian docker image you are using: mcr.microsoft.com/dotnet/sdk:latest

The :latest tag is using a Debian image (5.0.102-1-buster-slim-amd64) and Debian released a patch that generated certificate issues.

The NuGet team published new pre-release Debian images that mitigate the ca-certificate issue. See the open issue & image replacements workarounds here:

https://github.com/NuGet/Announcements/issues/49#issuecomment-768766265

Later on they'll publish the release version of SDK images (once the Debian ca-certificates package is released in Debian 10 Buster).

Using the :focal tag (Ubuntu) might solve the issue for your .NET app as well, although you must consider you are not using Debian anymore.

LATEST UPDATE: Microsoft published patched docker images using the conventional tags like sdk:5.0. It is safe to revert from :5.0.102-ca-patch-buster-slim-amd64 to :5.0

I think nuget.org is having some issues with their certificate. I'm currently getting the following for all NuGet packages from nuget.org

> error NU3037: Package 'Microsoft.NETCore.Platforms 3.1.0' from source 'https://api.nuget.org/v3/index.json';: The author primary signature validity period has expired. > > error NU3028: Package 'Microsoft.AspNetCore.Metadata 3.1.2' from source 'https://api.nuget.org/v3/index.json';: The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

As already mentioned the current updates of issue could be followed here:
https://github.com/NuGet/Home/issues/10491
To shorten your journey
Known workarounds include:

• Downgrade to .NET Core 3.1
• If using docker, change your base image from "FROM mcr.microsoft.com/dotnet/sdk:5.0" to " FROM mcr.microsoft.com/dotnet/sdk:5.0-focal" or " FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine"
• Put this inside the tag in your nuget.config to disable validation altogether (works with dotnet restore) :

> <config> <add key="signatureValidationMode" value="accept" />

You can also check the status here: https://status.nuget.org/

This change also works:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal

Better to go from Debian to Ubuntu and skip Alpine as .net Regions and Cultures are missing from Alpine! i.e sdk:5.0-focal is your best bet and does indeed fix this problem.

In case you don't want to change your base image, another way to fix this is to install the ca-certificates package.

Add this to your Dockerfile:

RUN echo "deb http://deb.debian.org/debian bullseye main" >> /etc/apt/sources.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
     ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& sed -i '$ d' /etc/apt/sources.list

Of course, this can be removed again as soon as the underlying issue is fixed.

I encountered below error in dotnet sdk 5.0.201.

> error NU3037: Package 'Microsoft.EntityFrameworkCore.Sqlite 5.0.0' from source 'https://api.nuget.org/v3/index.json';: The repository countersignature validity period has expired.

After I update the sdk to 5.0.401 and rebuild it then it is working fine.