NuGet Warning NU3028
NuGet 4.6.0+
The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode
Issue
Certificate chain building failed for the timestamp signature. The timestamp signing certificate is untrusted, revoked, or revocation information for the certificate is unavailable.
On Windows only, NU3028 may occur the first time a root certificate is observed and with the message "A certification chain processed correctly but terminated in a root certificate that is not trusted by the trust provider." If the issue is resolved with retries, there is an option which may help.
Solution
Use a trusted and valid certificate. Check internet connectivity.
For Linux and macOS, see NuGet signed-package verification. Specifically for untrusted root certificate warnings/errors on Linux and macOS, also see NU3042.
Revocation check mode
Note
This option is available starting from NuGet 4.8.1.
If the machine has restricted internet access (such as a build machine in a CI/CD scenario), installing/restoring a signed nuget package will result in this warning since the revocation servers are not reachable. This is expected.
However, in some cases, this may have unintended concequences such as the package install/restore taking longer than usual. If that happens, you can work around it by setting the NUGET_CERT_REVOCATION_MODE
environment variable to offline
. This will force NuGet to check the revocation status of the certificate only against the cached certificate revocation list, and NuGet will not attempt to reach revocation servers.
Warning
It is not recommended to switch the revocation check mode to offline under normal circumstances. Doing so will cause NuGet to skip an online revocation check and perform only an offline revocation check against the cached certificate revocation list which may be out of date. This means packages where the signing certificate may have been revoked, will continue to be installed/restored, which otherwise would have failed revocation check and would not have been installed.
When the revocation check mode is set to offline
, the warning will be downgraded to an informational level.
The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the certificate is not available in the cached certificate revocation list and NUGET_CERT_REVOCATION_MODE environment variable has been set to offline. For more information, visit https://aka.ms/certificateRevocationMode.
Note
NU3028 is raised as an error in most cases. When NuGet’s signature validation mode is set to accept (default), NU3028 is raised as a warning in some cases.