While trying to restore the recent release of .NET MAUI Community Toolkit v6.0.0 and Markup Toolkit v3.3.0, faced this issue This package is signed but not by a trusted signer.
A similar signing issue came up while installing the workload of .NET MAUI on .NET 8 RC1. However a workaround was provided to overcome the signing issue by bypassing the sign check by trusting NuGet as the package source.
dotnet workload install maui --skip-sign-check --source https://api.nuget.org/v3/index.json
A week later, another SDK version was released to address this issue.
As per this blog post, the current Microsoft signing certificate will expire on Thu, Oct 5, 2023, and a fresh certificate will be used to sign the packages henceforth.
Since there’s no option to skip the signing check while restoring the packages, it becomes necessary to trust those certificates or to allow untrusted sources for the NuGet packages to be restored successfully without any errors.
Package signature works on the concept of asymmetric encryption (mostly RSA), signed with the owner’s private key, and can be verified with its corresponding public key (openly available). The thumbprint value is what is needed to verify the authenticity of the packages so that it can be validated whether it is genuine or not.
Have provided the commands for trusting the Microsoft packages and .NET MAUI Community Toolkit packages.
The command format is as follows:
dotnet nuget trust certificate <name> <thumbprint> --algorithm <SHA256|SHA384|SHA512>
The name can be any user-defined value for managing it. And the default value of the algorithm is SHA256.
For Microsoft Packages:
dotnet nuget trust certificate Microsoft2023 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353
For .NET MAUI Community Toolkit Packages:
dotnet nuget trust certificate MauiToolkit 8F8AB9AF321DCB50834BE043DD58978421DE9E40EDE67B33363BBE8653E74431
Then verify with the below command:
dotnet nuget trust list
After this, package restore will proceed smoothly without any errors.
Update: There are so many NuGet packages that rely only on NuGet’s repository signing certificate and don’t sign on their own (open source/community contributors). So in order to trust the packages from nuget.org as a whole, follow the below process.
First, download any of the NuGet packages that rely on the repository certificate. For this, go to nuget.org, browse any package (VijayAnand.MauiToolkit, for example), and click on the Download package link on the right side. Refer to the screenshot. This is necessary to extract the Thumbprint. Then run the below command.
dotnet nuget trust repository NuGet <path_to_downloaded_nuget_pkg>
Here, the path to the NuGet package can be absolute or relative to the current context.
Note the difference between the earlier command and this one. Instead of trusting the signing certificate, now trusting the repository itself.
dotnet nuget trust repository NuGet VijayAnand.MauiToolkit.3.0.0-rc.1.nupkg
dotnet nuget trust list command output will differentiate between the author and the repository.
An alternate approach without downloading the package is with the command that adds the NuGet’s repository service index as a trusted source (pulls the thumbprint automatically).
dotnet nuget trust source NuGet --source-url https://api.nuget.org/v3/index.json
Happy coding. Stay connected as we continue to learn and share the experiences from this exciting journey of being a .NET developer.
