NU3018 While signing on Github Actions Ubuntu

[amusleh-spotware-com]

Hi,

I tried to use Github Actions for publishing my package but the signing is not working, the action runs on Ubuntu.

Here is action YAML:

name: Publish Nuget Package When Pre-Released

on:
  release:
    types: [prereleased]

jobs:
  build:
    runs-on: ubuntu-latest

    env:
      BUILD_CONFIG: 'Release'
      PROJECT: 'src/OpenAPI.Net/OpenAPI.Net.csproj'

    steps:
    - uses: actions/checkout@v2

    - name: Setup NuGet
      uses: NuGet/[email protected]
      with:
        nuget-api-key: ${{secrets.NUGET_API_KEY}}
        nuget-version: 'latest'

    - name: Restore dependencies
      run: nuget restore $PROJECT

    - name: Setup .NET
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: '6.0.x'

    - name: Build
      run: dotnet build $PROJECT --configuration $BUILD_CONFIG --no-restore
    
    - name: Set Execution Permission For decrypt_certificate.sh
      run: chmod +x ./decrypt_certificate.sh

    - name: Decrypt Certificate
      run: ./decrypt_certificate.sh
      env:
          CERTIFICATE_GPG_PASSPHRASE: ${{secrets.CERTIFICATE_GPG_PASSPHRASE}}

    - name: Importing Certificate
      run: sudo cp $HOME/secrets/certificate.pfx /usr/share/ca-certificates/certificate.pfx ; sudo dpkg-reconfigure ca-certificates ; sudo update-ca-certificates ; git config --global http.sslCAInfo /usr/share/ca-certificates/certificate.pfx

    - name: Sign Package
      run: nuget sign **\*.nupkg -CertificatePath $HOME/secrets/certificate.pfx -Timestamper http://timestamp.digicert.com/ -CertificatePassword ${{secrets.CERTIFICATE_PASSWORD}} -NonInteractive

    - name: Publish Package
      run: nuget push **\*.nupkg -Source 'https://api.nuget.org/v3/index.json'

    - name: Publish Symbols
      run: nuget push **\*.snupkg -Source 'https://api.nuget.org/v3/index.json'

And the error while it's running the Sign Package step:

NU3018: PartialChain: PartialChain

WARNING: NU3018: RevocationStatusUnknown: RevocationStatusUnknown

WARNING: NU3018: OfflineRevocation: OfflineRevocation

NU3018: Certificate chain validation failed.

Error: Process completed with exit code 1.

I used the same certificate file on my local Windows system and it works fine without any issue.

The certificate is not a self issued certificate.

[zivkan]

Have you tried in a Linux VM, where you can run commands interactively, and do some debugging/investigating?

I don't think that update-ca-certificates support pfx certs, and that you'll need to convert them to pem format using openssl. But I'm not 100% sure. So, my best guess is that your "Importing Certificate" step isn't working as you expect.

[amusleh-spotware-com]

Have you tried in a Linux VM, where you can run commands interactively, and do some debugging/investigating?

I don't think that update-ca-certificates support pfx certs, and that you'll need to convert them to pem format using openssl. But I'm not 100% sure. So, my best guess is that your "Importing Certificate" step isn't working as you expect.

I tired but somehow Nuget was not installing properly on my Ubuntu, I will try again and update you.

The thing is there is no resources for Nuget signing on Linux, I searched a lot and asked on stackoverflow, nobody was able to help.

And I figured how to put the certificate on a Github Action after lots of failed attempts.

If I use Windows to run the Action then there is no GPG built-in tool to decrypt the certificate file.

[zivkan]

The thing is there is no resources for Nuget signing on Linux, I searched a lot and asked on stackoverflow, nobody was able to help.

I understand it's frustrating, and I wish I could help more, but nobody in the team uses Linux day-to-day. If the certificate used to code sign was purchased from one of the big certificate authorities, where most Linux distros already trust the root certificate in the certificate chain, there should be no problems. NuGet uses standard .NET APIs, and all the low level expertise is in the .NET runtime/libraries team, but my understanding is that on Linux .NET uses libopenssl. Trying to use certificates that are not pre-trusted by the Linux distro then becomes a system administration task, not an application-specific issue. I don't know if different distros do certs differently or if they all use update-ca-certificates. Therefore, you might have more luck trying to search for generic Linux or ubuntu certificate and openssl answers, rather than NuGet specifically.

If I use Windows to run the Action then there is no GPG built-in tool to decrypt the certificate file.

Can you transform the certificate one-time into a format that Windows does support, save that in the pipeline's secret store, and then you don't need GPG tools on every build? You'll only need it once when certificates rotate.

[amusleh-spotware-com]

Anyone who is reading this in future, please check here.

And thanks zivkan for replying back!