NuGet Warning NU3037
Issue
A NuGet package signature has expired. A package signature shares the same validity period as the certificate used to generate the signature. A package signature is invalid outside of that validity period. To ensure long-term validity --- even beyond the signing certificate’s validity period --- a package signature should be timestamped with a trusted timestamp. Trusted timestamps must be added while a package signature is still valid and not expired.
On Windows only, NU3037 may occur the first time a root certificate is observed and with the message "The repository primary signature validity period has expired." If the issue is resolved with retries, there is an option which may help.
Solution
- Resign the package with a non-expired certificate. Optionally, add a trusted timestamp at the time of signing to ensure long-term validity of the signature.
- For accept mode only, ignore the warning.
Note
When NuGet’s signature validation mode is set to accept (default), a package with an expired package signature is treated as an unsigned package and installed anyway. NU3037 is raised as a warning.
When NuGet’s signature validation mode is set to require, or when running the nuget verify -signatures command, NU3037 is elevated from a warning to an error.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for