Build issue on Gentoo

[kant2002]

Description

I'm on Gentoo with app-misc/ca-certificates-20210119.3.64 which appears include fix for certificates. Still I receive

...
/home/user/.nuget/packages/microsoft.dotnet.arcade.sdk/6.0.0-beta.21175.1/tools/Tools.proj : error NU3037: Package 'MicroBuild.Core 0.2.0' from source 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json': The repository primary signature validity period has expired.
/home/user/.nuget/packages/microsoft.dotnet.arcade.sdk/6.0.0-beta.21175.1/tools/Tools.proj : error NU3037: Package 'Microsoft.Build.Tasks.Git 1.1.0-beta-20206-02' from source 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json': The author primary signature validity period has expired.
/home/user/.nuget/packages/microsoft.dotnet.arcade.sdk/6.0.0-beta.21175.1/tools/Tools.proj : error NU3037: Package 'Microsoft.SourceLink.AzureRepos.Git 1.1.0-beta-20206-02' from source 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json': The author primary signature validity period has expired.
...

Error appears when I run ./build.sh.

When I build other projects, for example https://github.com/KirillOsenkov/MSBuildStructuredLog project builds ok.
So that gives impression that my local machine is ok, and issue probable related to AzureDevOps repository.

Configuration

$ dotnet --info

Host (useful for support):
  Version: 5.0.5
  Commit:  2f740adc14

.NET SDKs installed:
  5.0.202 [/opt/dotnet_core/sdk]

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[ghost]

Tagging subscribers to this area: @dotnet/runtime-infrastructure
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

I'm on Gentoo with app-misc/ca-certificates-20210119.3.64 which appears include fix for certificates. Still I receive

...
/home/user/.nuget/packages/microsoft.dotnet.arcade.sdk/6.0.0-beta.21175.1/tools/Tools.proj : error NU3037: Package 'MicroBuild.Core 0.2.0' from source 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json': The repository primary signature validity period has expired.
/home/user/.nuget/packages/microsoft.dotnet.arcade.sdk/6.0.0-beta.21175.1/tools/Tools.proj : error NU3037: Package 'Microsoft.Build.Tasks.Git 1.1.0-beta-20206-02' from source 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json': The author primary signature validity period has expired.
/home/user/.nuget/packages/microsoft.dotnet.arcade.sdk/6.0.0-beta.21175.1/tools/Tools.proj : error NU3037: Package 'Microsoft.SourceLink.AzureRepos.Git 1.1.0-beta-20206-02' from source 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json': The author primary signature validity period has expired.
...

Error appears when I run ./build.sh.

When I build other projects, for example https://github.com/KirillOsenkov/MSBuildStructuredLog project builds ok.
So that gives impression that my local machine is ok, and issue probable related to AzureDevOps repository.

Configuration

$ dotnet --info

Host (useful for support):
  Version: 5.0.5
  Commit:  2f740adc14

.NET SDKs installed:
  5.0.202 [/opt/dotnet_core/sdk]

Author:	kant2002
Assignees:	-
Labels:	area-Infrastructure, untriaged
Milestone:	-

[ericstj]

Might not be a coincidence that the cert to sign that package expired about a week ago:

@mmitche @markwilkie @tmat Should Arcade update the version referenced by default?
https://github.com/dotnet/arcade/blob/e7ede87875f41a9b3df898ae08da5ebc96e24f56/src/Microsoft.DotNet.Arcade.Sdk/tools/DefaultVersions.props#L84

[markwilkie]

Yea, somehow I thought we were floating the microbuild version. Adding FR @dotnet/dnceng

[MattGal]

Yea, somehow I thought we were floating the microbuild version. Adding FR @dotnet/dnceng

Don't we? I don't see a specific version here: https://github.com/dotnet/arcade/blob/e7ede87875f41a9b3df898ae08da5ebc96e24f56/eng/common/templates/job/job.yml#L104-L115

[ericstj]

@mmitche read above for the packages that are failing restore and where their version is specified.

It's not clear to me why more people wouldn't be seeing this, is it just that their machines previously downloaded these packages before they expired? Is there something different about NuGet validation policy? Also, isn't it a problem that NuGet didn't put a timestamp (presumably) when signing those packages? Signatures aren't expected to expire when the cert expires, that should only happen if the signature was missing a timestamp to prove that it was signed before expiration. @nkolev92 @anangaur

[ericstj]

Interesting, if manually verify with the latest nuget.exe on Windows it does verify:

C:\tools>nuget verify -All C:\Users\erics\Downloads\microbuild.core.0.2.0.nupkg

Verifying MicroBuild.Core.0.2.0
C:\Users\erics\Downloads\microbuild.core.0.2.0.nupkg

Signature Hash Algorithm: SHA256
Timestamp: 10/15/2018 11:14:49 AM

Verifying repository primary signature's timestamp with timestamping service certificate:
  Subject Name: CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0
  SHA256 hash: C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8
  Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 12/22/2017 4:00:00 PM to 3/22/2029 4:59:59 PM

Signature type: Repository
nuget-v3-service-index-url: https://api.nuget.org/v3/index.json
nuget-package-owners: jkeech
Verifying the repository primary signature with certificate:
  Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
  SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
  SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
  Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  Valid from: 4/9/2018 5:00:00 PM to 4/14/2021 5:00:00 AM


Successfully verified package 'MicroBuild.Core.0.2.0'.

Note Timestamp: 10/15/2018 11:14:49 AM

Perhaps something about NuGet on Gentoo isn't seeing that timestamp?

[dagood]

Isn't this NuGet/Announcements#56 ? dotnet/runtime's global.json requires 6.0-preview2 right now, but preview3 fixes the issue.

runtime/global.json

Line 8 in 1132baa

"dotnet": "6.0.100-preview.2.21155.3"

.NET SDKs installed:
5.0.202 [/opt/dotnet_core/sdk]

If only 5.0.202 is installed, IIRC ./build.sh downloads 6.0-preview2 for you seamlessly.

https://github.com/KirillOsenkov/MSBuildStructuredLog doesn't have a global.json requiring a specific SDK version, so it wouldn't hit this because it can use the existing 5.0.202 install, which does have the fix per the announcement.

(Nerd-sniped by the double-dnceng ping....)

[safern]

@ViktorHofer it seems like we might want to bump the required SDK to 6.0-preview3 for the next infra batch?

[mmitche]

That change just went in to arcade.

[ericstj]

Thanks @dagood, sorry to nerd-snipe, I didn't connect that but you nailed it.

@kant2002 you can try updating global.json to workaround this. Set both SDK version and dotnet to 6.0.100-preview.3.21202.5 and see if that unblocks.

[kant2002]

Such a lively discussion. Thanks for prompt replies. Changes in global.json unblocks me.

[ViktorHofer]

Unblocked by the SDK upgrade. We believe this is already or will be serviced for 5.0 and 3.x as well. Closing as not actionable by us.