[Bug]: Package signature validation fails on Linux due to missing 'thawte_Primary_Root_CA' in codesignctl.pem

[AlekseyMartynov]

NuGet Product Used

dotnet.exe

Product Version

sdk:6.0.400

Worked before?

No response

Impact

It's more difficult to complete my work

Repro Steps & Context

Dockerfile

FROM mcr.microsoft.com/dotnet/sdk:6.0.400
ADD package.nupkg .

# the line below fixes the issue
# RUN curl https://www.thawte.com/roots/thawte_Primary_Root_CA.pem >> /usr/share/dotnet/sdk/6.0.400/trustedroots/codesignctl.pem

RUN dotnet nuget verify --all -v d package.nupkg

package.nupkg.zip

docker build .

Log:

#6 [3/3] RUN dotnet nuget verify --all -v d package.nupkg
#6 sha256:6a29851b2c18885d4e3ae65a1695c2e38aa9d82b5df9acdd8c61b2d8717e5908
#6 0.642 X.509 certificate chain validation will use the fallback certificate bundle at '/usr/share/dotnet/sdk/6.0.400/trustedroots/codesignctl.pem'.
#6 1.766
#6 1.766 Verifying DevExtreme.AspNet.Core.22.1.4
#6 1.766 /package.nupkg
#6 1.766 Signature Hash Algorithm: SHA256
#6 1.766
#6 1.766 Signature type: Author
#6 1.766 Verifying the author primary signature with certificate:
#6 1.766   Subject Name: CN=Developer Express Incorporated, O=Developer Express Incorporated, L=Glendale, S=California, C=US
#6 1.766   SHA1 hash: A7710850362BC7974A5A0C534649AC574EB878C3
#6 1.766   SHA256 hash: 36BB68F3A2B0E22002107027E70D20BFA2C390EC009D38CE3610B3CC0144A9AF
#6 1.766   Issued by: CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
#6 1.766   Valid from: 01/15/2020 00:00:00 to 01/20/2023 23:59:59
#6 1.766 trace:       Subject Name: CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
#6 1.766 trace:       SHA1 hash: D00CFDBF46C98A838BC10DC4E097AE0152C461BC
#6 1.766 trace:       SHA256 hash: C4D18E0A58E4EFFD17ED77C840B613EF15F551076EA92C2B77F6609A6C2557C7
#6 1.766 trace:       Issued by: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
#6 1.766 trace:       Valid from: 12/10/2013 00:00:00 to 12/09/2023 23:59:59
#6 1.766 trace:             Subject Name: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
#6 1.766 trace:             SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81
#6 1.766 trace:             SHA256 hash: 8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F
#6 1.766 trace:             Issued by: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
#6 1.766 trace:             Valid from: 11/17/2006 00:00:00 to 07/16/2036 23:59:59
#6 1.766 debug: The author primary signature's certificate chain validation failed with error(s): UntrustedRoot
#6 1.766 Timestamp: 07/22/2022 09:39:53
#6 1.766 Verifying author primary signature's timestamp with timestamping service certificate:
#6 1.766   Subject Name: CN=DigiCert Timestamp 2022 - 2, O="DigiCert, Inc.", C=US
#6 1.766   SHA1 hash: 8508F386515CB3D3077DB6B4B7C07F1B4A5E41DE
#6 1.766   SHA256 hash: 9DA69015C349C6C1897845BA3582AD70C88FA4293BDB6ABE9C2BD2539279E63B
#6 1.766   Issued by: CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
#6 1.766   Valid from: 03/29/2022 00:00:00 to 03/14/2033 23:59:59
#6 1.766 trace:       Subject Name: CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
#6 1.766 trace:       SHA1 hash: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
#6 1.766 trace:       SHA256 hash: 281734D4592D1291D27190709CB510B07E22C405D5E0D6119B70E73589F98ACF
#6 1.766 trace:       Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
#6 1.766 trace:       Valid from: 03/23/2022 00:00:00 to 03/22/2037 23:59:59
#6 1.766 trace:             Subject Name: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
#6 1.766 trace:             SHA1 hash: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
#6 1.766 trace:             SHA256 hash: 552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
#6 1.766 trace:             Issued by: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
#6 1.766 trace:             Valid from: 08/01/2013 12:00:00 to 01/15/2038 12:00:00
#6 1.767
#6 1.767 Finished with 1 errors and 0 warnings.
#6 1.767 error: NU3018: The author primary signature's signing certificate is not trusted by the trust provider.
#6 1.767
#6 1.767 Package signature validation failed.

I found that codesignctl.pem contains 2 thawte certs:

• CN=thawte Primary Root CA - G2, OU=(c) 2007 thawte, Inc. - For authorized use only
• CN=thawte Primary Root CA - G3, OU=(c) 2008 thawte, Inc. - For authorized use only

However, the particular package requires a different root to validate successfully:

• CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For authorized use only

Verbose Logs

No response

[nkolev92]

cc @dtivel @richlander

Is this expected?
Should the certifcate that @AlekseyMartynov is calling out be added to the SDK?
Should this issue be moved to another repo?

[dtivel]

Thank you, @AlekseyMartynov. Clear bug, repro steps, and investigation.

.NET containers were updated to disable NuGet signed package verification by default via dotnet/dotnet-docker#4000. You can either explicitly disable signed package verification during restore operations with your current container by setting environment variable to false:

DOTNET_NUGET_SIGNATURE_VERIFICATION=false

...or pull an updated container. With the updated container, you should not be affected by this unless you explicitly opt back in for verification.

I will close this issue as a duplicate of #12033.