FS#70095 - [ca-certificates-mozilla] Certificate poblem makes it impossible to restore packages from MS

Attached to Project: Arch Linux
Opened by Sergio Tridente (TioDuke) - Saturday, 20 March 2021, 18:25 GMT
Last edited by Toolybird (Toolybird) - Tuesday, 29 November 2022, 07:32 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 13
Private No

Details

Description:
It is impossible to do a dotnet restore due to a known problem with Microsoft certificates not being trusted. The explanation for this problem can be found in the following link : https://github.com/NuGet/Announcements/issues/49 . Debian and Ubuntu have already issued a fix.

Additional info:
* package version(s) 3.63
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce: do a dotnet restore
This task depends upon

Closed by  Toolybird (Toolybird)
Tuesday, 29 November 2022, 07:32 GMT
Reason for closing:  Fixed
Additional comments about closing:  dotnet-core 5.0.5.sdk202-1
Comment by loqs (loqs) - Saturday, 20 March 2021, 18:28 GMT
Mozilla have not reverted [1] that removes the root certificates involved. Has NuGet contacted them?
Edit:
If you follow [2] and [3] does that resolve the issue?

[1] https://github.com/nss-dev/nss/commit/955c8b357c25b39be233d93efdacc99f6b5796e1
[2] https://devblogs.microsoft.com/nuget/microsoft-author-signing-certificate-update/
[3] https://devblogs.microsoft.com/nuget/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-march-15th-2021/
Comment by Sergio Tridente (TioDuke) - Saturday, 20 March 2021, 21:15 GMT
Unfortunately, [2] and [3] do not solve the issue for me as it did not for many people.
Comment by loqs (loqs) - Saturday, 20 March 2021, 21:44 GMT
If you downgrade ca-certificates-mozilla to 3.62-1 can you then execute dotnet restore?
You could also try locally installing the "VeriSign Universal Root Certification Authority" certificate.
Comment by Sergio Tridente (TioDuke) - Saturday, 20 March 2021, 22:38 GMT
Yes downgrading to 3.62 allows to execute dotnet restore without problems.

Can you point me to any ressource that explains how to locally install a certificate, please?
Comment by loqs (loqs) - Saturday, 20 March 2021, 23:00 GMT
With ca-certificates-mozilla 3.62-1 installed you should have /etc/ssl/certs/VeriSign_Universal_Root_Certification_Authority.pem
Copy that into the /etc/ca-certificates/trust-source/anchors/ directory then update to ca-certificates-mozilla 3.63-1 which will run update-ca-trust extract.

For more details see https://man.archlinux.org/man/update-ca-trust.8
Comment by Sergio Tridente (TioDuke) - Saturday, 20 March 2021, 23:01 GMT
Thank you
Comment by Luca Weiss (z3ntu) - Saturday, 03 April 2021, 12:31 GMT
Linking an "announcement" from NuGet: https://github.com/NuGet/Announcements/issues/56
Comment by loqs (loqs) - Monday, 05 April 2021, 19:17 GMT
https://github.com/NuGet/NuGet.Client/pull/3979 does apply to dotnet-core 5.0.4.sdk104 but it needs to be built with ca-certificates-mozilla 3.62-1.
Could you test that? I can supply built packages if it helps.
   PKGBUILD.diff (1.4 KiB)
Comment by loqs (loqs) - Thursday, 15 April 2021, 14:18 GMT
Please try dotnet-sdk 5.0.5.sdk202-1 and ca-certificates-mozilla 3.63-1 without the additional "VeriSign Universal Root Certification Authority" certificate.
I assume the nuget package is also affected?
Comment by Gabriel Cainã (bieel1503) - Thursday, 15 April 2021, 18:52 GMT
The issue is fixed for me using the latest release '5.0.5.sdk202-1'. Thank you very much.

Loading...