Breyta

Deila með


NuGet Warning NU3042

NuGet 6.6.0+ on Linux and macOS only

The following X.509 root certificate is untrusted because it is not present in the certificate bundle at <file-path>. For more information, see documentation for NU3042.
    Subject: <certificate subject>
    Fingerprint (SHA-256): <certificate fingerprint>
    Certificate (PEM):
<PEM-encoded certificate>

Issue

Warning NU3042 is raised when signed package verification failed because a root certificate was not found in the appropriate trusted root certificate bundle, either code signing or timestamping. This warning will only be raised on Linux and macOS when signed package verification is enabled, never on Windows. NU3042 should accompany an NU3018 or NU3028.

Each .NET 7+ SDK release contains two root certificate bundles sourced from the Microsoft Trusted Root Program. One certificate bundle contains all trusted roots valid for code signing, while the other contains all trusted roots valid for timestamping. NuGet uses these certificate bundles on Linux and macOS when signed package verification is enabled.

On Linux, NuGet will prefer a system-wide code signing certificate bundle over the .NET SDK's code signing certificate bundle.

The root cause for NU3042 is likely one of the following:

  • (Linux only) The system-wide code signing certificate bundle does not contain the root certificate referenced in the warning.
  • The .NET SDK's certificate bundles are out of date.

For more information, see NuGet signed-package verification.

Solution

On Linux, if you trust the certificate and are using a system-wide code signing certificate bundle, consider adding the root certificate to the bundle. This solution may not be suitable because it will grant system-wide trust.

If the .NET SDK's certificate bundles are out-of-date, update to a more recent release of the .NET SDK.

If all else fails, opt out of signed package verification by setting the environment variable DOTNET_NUGET_SIGNATURE_VERIFICATION to false and open an issue with the NuGet team to suggest how signed package verification can be improved on your platform.

For more information, see NuGet signed-package verification.