Thanks to visit codestin.com
Credit goes to github.com

Skip to content

buld.cmd nuget error - This package is signed but not by a trusted signer #10827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kk-siemens opened this issue May 5, 2025 · 6 comments
Open

buld.cmd nuget error - This package is signed but not by a trusted signer #10827

kk-siemens opened this issue May 5, 2025 · 6 comments

Comments

@kk-siemens
Copy link

Hello,
I have problems to build the repository by build.cmd.
I have many nuget related errors ("This package is signed but not by a trusted signer") like:

D:\Code\DotNet\wpf\wpf\src\Microsoft.DotNet.Wpf\tests\UnitTests\System.Xaml.Tests\System.Xaml.Tests.csproj : error NU3034: Package 'coverlet.collector 6.0.0' from source 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json': This package is signed but not by a trusted signer. [D:\Code\DotNet\wpf\wpf\Microsoft.Dotnet.Wpf.sln]
D:\Code\DotNet\wpf\wpf\src\Microsoft.DotNet.Wpf\src\System.Xaml\System.Xaml.csproj : error NU3034: Package 'Microsoft.CodeAnalysis.NetAnalyzers 8.0.0' from source 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json': This package is signed but not by a trusted signer. [D:\Code\DotNet\wpf\wpf\Microsoft.Dotnet.Wpf.sln]

How can I make the url 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json' as trusted nuget source?
I have tried many ways to allow untrusted sources or add the url to trusted source but nothing worked.

Thank you,
Karel
@lindexi
Copy link
Member

lindexi commented May 6, 2025

@kk-siemens See https://learn.microsoft.com/en-us/nuget/reference/cli-reference/cli-ref-trusted-signers#nuget-trusted-signers-sync--name-name and https://haacked.com/archive/2019/04/03/nuget-package-signing/

Reference: NuGet/Home#11605

@himgoyalmicro
Copy link
Contributor

@kk-siemens does the above solution provide by @lindexi resolves your query?

@himgoyalmicro himgoyalmicro added the 📭 waiting-author-feedback To request more information from author. label May 7, 2025
@kk-siemens
Copy link
Author

I don't know what to add as parameter in
nuget trusted-signers sync -Name

BTW: I tried the build.cmd on different computer and it worked well there

Executing command "dotnet nuget trust list" (or "nuget trusted-signers list") to get trusted signers:

On computer where it doesn't work:
Registered trusted signers:

  1. xUnit.net (.NET Foundation) [author]
    Certificate fingerprint(s):
    [U] SHA256 - 0D7662406AABB78B853A1901343BF9F7757492B785402172C5962D8204408161

On computer where it works:
There are no trusted signers.

@dotnet-policy-service dotnet-policy-service bot removed the 📭 waiting-author-feedback To request more information from author. label May 7, 2025
@lindexi
Copy link
Member

lindexi commented May 7, 2025

@kk-siemens Can I find your %appdata%\NuGet\NuGet.Config and %ProgramFiles(x86)%\NuGet\Config\NuGet.Config files? Does some info record in the two NuGet.Config files?

@kk-siemens
Copy link
Author

"%ProgramFiles(x86)%\NuGet\Config\NuGet.Config" doesn't exist

"%appdata%\NuGet\NuGet.Config":

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
<activePackageSource>
<add key="nuget.org" value="https://www.nuget.org/api/v2/" />
</activePackageSource>
<trustedSigners>
<author name="xUnit.net (.NET Foundation)">
<certificate fingerprint="0D7662406AABB78B853A1901343BF9F7757492B785402172C5962D8204408161" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</author>
</trustedSigners>
<config>
<add key="signatureValidationMode" value="accept" />
</config>
</configuration>

@lindexi
Copy link
Member

lindexi commented May 7, 2025
edited
Loading

@kk-siemens Thank you. Emmm, how about replace the content of "%appdata%\NuGet\NuGet.Config" to

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageRestore>
    <add key="enabled" value="True" />
    <add key="automatic" value="True" />
  </packageRestore>
  <bindingRedirects>
    <add key="skip" value="False" />
  </bindingRedirects>
  <packageManagement>
    <add key="format" value="1" />
    <add key="disabled" value="False" />
  </packageManagement>
  <packageSources>
    <add key="nuget" value="https://api.nuget.org/v3/index.json" />
    <add key="Microsoft Visual Studio Offline Packages" value="C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\" />
  </packageSources>
</configuration>

And you can backup the origin "%appdata%\NuGet\NuGet.Config" before you replace the content.

If you can not fix this issues by replace the content, that I guess the environment variables may record the error value. See https://learn.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lindexi @himgoyalmicro @kk-siemens