Edit

NuGet Warning NU3028

  • Article
  • 2 minutes to read

NuGet 4.6.0+

The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode

Issue

Certificate chain building failed for the timestamp signature. The timestamp signing certificate is untrusted, revoked, or revocation information for the certificate is unavailable.

On Windows only, this issue may occur the first time a root certificate is observed. During certificate chain building, Windows fetches relevant 3rd party root certificates on first use and adds them as locally trusted root certificates. Internally, Windows initiates this network fetch with an RPC call, and if the system is sufficiently busy, this RPC call may fail. This failure results in the root certificate not being locally trusted. For NuGet users, the resulting error is "A certification chain processed correctly but terminated in a root certificate that is not trusted by the trust provider."

Solution

Use a trusted and valid certificate. Check internet connectivity.

Revocation check mode

Note

This option is available starting from NuGet 4.8.1.

If the machine has restricted internet access (such as a build machine in a CI/CD scenario), installing/restoring a signed nuget package will result in this warning since the revocation servers are not reachable. This is expected. However, in some cases, this may have unintended concequences such as the package install/restore taking longer than usual. If that happens, you can work around it by setting the NUGET_CERT_REVOCATION_MODE environment variable to offline. This will force NuGet to check the revocation status of the certificate only against the cached certificate revocation list, and NuGet will not attempt to reach revocation servers.

Warning

It is not recommended to switch the revocation check mode to offline under normal circumstances. Doing so will cause NuGet to skip an online revocation check and perform only an offline revocation check against the cached certificate revocation list which may be out of date. This means packages where the signing certificate may have been revoked, will continue to be installed/restored, which otherwise would have failed revocation check and would not have been installed.

When the revocation check mode is set to offline, the warning will be downgraded to an informational level.

The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the certificate is not available in the cached certificate revocation list and NUGET_CERT_REVOCATION_MODE environment variable has been set to offline. For more information, visit https://aka.ms/certificateRevocationMode.

Retry untrusted root failures

Note

This option is available starting from NuGet 6.0.0 Preview 5 and only applies to the Windows-specific failure described in the Issue section.

Retrying will typically succeed. You can opt-in to an experimental, automatic retry for untrusted root failures on Windows by setting an environment variable named NUGET_EXPERIMENTAL_CHAIN_BUILD_RETRY_POLICY with a value consisting of 2 comma-delimited positive integers representing retry count and sleep interval in milliseconds, respectively. There are no default values; you need to pick retry values that are sensible for you.

For example, setting the environment variable to a value of 3,1000 like so:

set NUGET_EXPERIMENTAL_CHAIN_BUILD_RETRY_POLICY=3,1000

...would try up to 4 times (initial try plus 3 retries) with 1 second (1,000 ms) between each try.

Note

NU3028 is raised as an error in most cases. When NuGet’s signature validation mode is set to accept (default), NU3028 is raised as a warning in some cases.