NuGet signed-package verification options
Retry untrusted root failures
Note
This issue only applies to Windows for root certificates in the Microsoft Trusted Root Program.
During certificate chain building, Windows fetches relevant 3rd party root certificates on first use and adds them as locally trusted root certificates. Internally, Windows initiates this network fetch with an RPC call, and if the system is sufficiently busy, this RPC call may fail. This failure results in the root certificate not being locally trusted. This issue may occur the first time a root certificate is observed, but once the root certificate has been locally trusted, the issue will not recur for that certificate. Typically, chain building will succeed with retries.
For NuGet users, symptoms of this issue are that the NuGet operation will typically succeed on retry and either of the following:
- NU3028 with a message like "A certification chain processed correctly but terminated in a root certificate that is not trusted by the trust provider."
- NU3037 with a message like "The repository primary signature validity period has expired."
Note
This option is available starting from NuGet 6.0.0 and only applies to the Windows-specific failure described above. The option does not apply to any other scenario and has no effect on Linux or macOS.
Before NuGet 6.8.0 and .NET 8 SDK, this option is disabled by default.
Starting with NuGet 6.8.0 and .NET 8 SDK, this option is enabled by default on Windows. The environment variable does not need to be set explicitly unless you want to override the default value of 3,1000 or to opt out. To opt out, set the environment variable with a value of 0.
You can enable an experimental, automatic retry for untrusted root failures on Windows by setting an environment variable named NUGET_EXPERIMENTAL_CHAIN_BUILD_RETRY_POLICY with a value consisting of 2 comma-delimited positive integers representing retry count and sleep interval in milliseconds, respectively. You should pick values that are sensible for you.
For example, setting the environment variable to a value of 3,1000 like so:
set NUGET_EXPERIMENTAL_CHAIN_BUILD_RETRY_POLICY=3,1000
...would try up to 4 times (initial try plus 3 retries) with 1 second (1,000 ms) between each try.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for