-
Notifications
You must be signed in to change notification settings - Fork 252
Signing certificate is not trusted by the trust provider
NuGet supports signed packages, allowing restore to detect packages that were tampered with since signing. NuGet's signing is based on X.509 Public Key Infrastructure, just as encrypted HTTPS (TLS) is, which involves certificate chains and trusted Certificate Authorities. If your machine does not have the expected trusted certificate authority certificates available, then restore or installing packages may fail with errors similar to:
The author primary signature’s signing certificate is not trusted by the trust provider.
The repository countersignature’s signing certificate is not trusted by the trust provider.
First, you will need a copy of the package file (.nupkg
).
If the package you are unable to restore/install comes from nuget.org, you can go to https://www.nuget.org, find the package, and then click the "download package" link.
If you have trouble finding a way to download the package file, you can use dotnet nuget locals http-cache --list
to output the path of the HTTP cache directory, and then you can try to find the package within one of the subdirectories.
When you have a copy of the package, on a command line, you can run dotnet nuget verify [path\to\package.nupkg] --verbosity detailed
.
Example `dotnet nuget verify` output (without verification failure)
> dotnet nuget verify microsoft.maui.controls.xaml.8.0.40.nupkg --verbosity detailed
X.509 certificate chain validation will use the default trust store selected by .NET for code signing.
X.509 certificate chain validation will use the default trust store selected by .NET for timestamping.
Verifying Microsoft.Maui.Controls.Xaml.8.0.40
C:\Users\zivkan\Downloads\microsoft.maui.controls.xaml.8.0.40.nupkg
Signature Hash Algorithm: SHA256
Signature type: Author
Verifying the author primary signature with certificate:
Subject Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
SHA1 hash: F25C45D17C53D4E0D1DC9FB9DFD0731FCF904B77
SHA256 hash: 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353
Issued by: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Valid from: 2023-07-27 9:30:00 AM to 2026-10-18 10:29:59 AM
trace: Subject Name: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
trace: SHA1 hash: 7B0F360B775F76C94A12CA48445AA2D2A875701C
trace: SHA256 hash: 46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
trace: Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2021-04-29 9:30:00 AM to 2036-04-29 9:29:59 AM
trace: Subject Name: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
trace: SHA256 hash: 552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
trace: Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2013-08-01 9:30:00 PM to 2038-01-15 10:30:00 PM
Timestamp: 2024-05-14 4:03:10 AM
Verifying author primary signature's timestamp with timestamping service certificate:
Subject Name: CN=DigiCert Timestamp 2023, O="DigiCert, Inc.", C=US
SHA1 hash: 66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40
SHA256 hash: D2F6E46DED7422CCD1D440576841366F828ADA559AAE3316AF4D1A9AD40C7828
Issued by: CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
Valid from: 2023-07-14 9:30:00 AM to 2034-10-14 10:29:59 AM
trace: Subject Name: CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
trace: SHA1 hash: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
trace: SHA256 hash: 281734D4592D1291D27190709CB510B07E22C405D5E0D6119B70E73589F98ACF
trace: Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2022-03-23 10:30:00 AM to 2037-03-23 10:29:59 AM
trace: Subject Name: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
trace: SHA256 hash: 33846B545A49C9BE4903C60E01713C1BD4E4EF31EA65CD95D69E62794F30B941
trace: Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2022-08-01 9:30:00 AM to 2031-11-10 10:29:59 AM
trace: Subject Name: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
trace: SHA256 hash: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
trace: Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2006-11-10 10:30:00 AM to 2031-11-10 10:30:00 AM
Signature type: Repository
Service index: https://api.nuget.org/v3/index.json
Owners: Microsoft, Xamarin
Verifying the repository countersignature with certificate:
Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
SHA1 hash: C72FE7739A9EECB8EC1E4F596DB3BB74039B1DE2
SHA256 hash: 1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D
Issued by: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Valid from: 2024-02-23 10:30:00 AM to 2027-05-19 9:29:59 AM
trace: Subject Name: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
trace: SHA1 hash: 7B0F360B775F76C94A12CA48445AA2D2A875701C
trace: SHA256 hash: 46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
trace: Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2021-04-29 9:30:00 AM to 2036-04-29 9:29:59 AM
trace: Subject Name: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
trace: SHA256 hash: 552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
trace: Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2013-08-01 9:30:00 PM to 2038-01-15 10:30:00 PM
Timestamp: 2024-05-15 5:24:09 AM
Verifying repository countersignature's timestamp with timestamping service certificate:
Subject Name: CN=DigiCert Timestamp 2023, O="DigiCert, Inc.", C=US
SHA1 hash: 66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40
SHA256 hash: D2F6E46DED7422CCD1D440576841366F828ADA559AAE3316AF4D1A9AD40C7828
Issued by: CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
Valid from: 2023-07-14 9:30:00 AM to 2034-10-14 10:29:59 AM
trace: Subject Name: CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
trace: SHA1 hash: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
trace: SHA256 hash: 281734D4592D1291D27190709CB510B07E22C405D5E0D6119B70E73589F98ACF
trace: Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2022-03-23 10:30:00 AM to 2037-03-23 10:29:59 AM
trace: Subject Name: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
trace: SHA256 hash: 33846B545A49C9BE4903C60E01713C1BD4E4EF31EA65CD95D69E62794F30B941
trace: Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2022-08-01 9:30:00 AM to 2031-11-10 10:29:59 AM
trace: Subject Name: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
trace: SHA256 hash: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
trace: Issued by: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2006-11-10 10:30:00 AM to 2031-11-10 10:30:00 AM
Successfully verified package 'Microsoft.Maui.Controls.Xaml.8.0.40'.
Packages may have up to two signatures, an author signature and/or repository countersignature. Each of these signatures will typically also have a timestamping service certificate. If the signature does not have a timestamp with a timestamping service certificate, then the package may become untrusted after the signing certificate's validity period ends.
Due to how X.509 PKI works, the root certificate (the last one in the certificate chain, which verify
will output as the most deeply nested certificate at detailed verbosity) needs to be trusted.
Using the example above, the repository countersignature's root certificate are these lines in the output:
trace: Subject Name: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: SHA1 hash: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
trace: SHA256 hash: 552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
trace: Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
trace: Valid from: 2013-08-01 9:30:00 PM to 2038-01-15 10:30:00 PM
On Windows, you can search for "manage computer certificates" (as trusted root certificates are machine configuration, not user configuration), and then open the "Trusted Root Certificate Authorities" folder.
Using PowerShell on Windows (either PowerShell Core, or Windows PowerShell), you can use Get-ChildItem Cert:\LocalMachine\Root\*
to list all of the installed trusted root certificate authority certificates.
PowerShell also makes certificates available via their SHA1 hash, so using the example above, you can also use Get-Item Cert:\LocalMachine\Root\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
to check the specific certificate is installed.
A timestamp provides public verification that the certificate used to sign the package was signed during the signing certificate's validity period. Therefore, any package without a timestamp and timestamp service certificate cannot be verified after the signing certificate expires. This is considered a package signing error, and whoever signed the package without a timestamp certificate (whether it's the author or repository) will need to sign the package again, preferably with a timestamp service so that the problem doesn't reoccur. Note that many package feeds, such as nuget.org, does not allow packages to be modified after the first upload, so if the package author did not sign the package with a timestamp service, they will need to increment the package version.
Starting from the .NET 6 SDK 6.0.400, the .NET SDK now ships Microsoft's Certificate Trust List (CTL) with the .NET SDK, which NuGet uses for signed package verification. However, as the trusted certificate list can change over time, you may need to update to a newer version of the .NET SDK to get an updated CTL.
The .NET SDK can build projects which target frameworks that are equal to, or lower than, tha major version of the .NET SDK.
For example, the .NET 8 SDK can build target frameworks net8.0
, net7.0
, net6.0
, and so on, in addition to netstandard
and .NET Framework target frameworks.
While supported versions of the .NET SDK will get updated CTLs, if you are still targeting an unsupported target framework, for example net5.0
, you will need to use a newer version of a supported .NET SDK to get the latest CTLs.
If you are running Windows 10, check these docs to see if you are affected by this known issue.
Regardless of which version of Windows you're using, Windows Update provides Windows with the Certificate Trust List (CTL), and then Windows will download root certificates on first use. Therefore, if there are failures in establishing package trust, it may be that the Windows CTL is out of date, or a root certificate has not yet been downloaded and there are problems with downloading the certificate.
Ultimately this is a Windows administration issue, so may be happening for any number of reasons outside of the control on NuGet. Some examples are, but are not limited to:
- The machine is not connected to the internet (offline machine, or offline/disconnected network)
- The machine is connected to an Active Directory or Entra ID domain, and the domain administrators are using Group Policies that affect certificate trust
- Firewall rules, either on the machine or on the network, are blocking requests to Windows Update
- Required Windows Services have been disabled or stopped
Check out the proposals in the accepted
& proposed
folders on the repository, and active PRs for proposals being discussed today.