NU3018
dotnet
install_error
ai_generated
true
error NU3018: Package 'PackageName 1.0.0' from source 'nuget.org' is not signed by a trusted signer.
ID: dotnet/nuget-package-signature-verification
85%Fix Rate
83%Confidence
1Evidence
2023-09-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| NuGet 5.11.x | active | — | — | — |
| NuGet 6.0.x | active | — | — | — |
| NuGet 6.3.x | active | — | — | — |
| NuGet 6.4.x | active | — | — | — |
Root Cause
NuGet package signature verification fails because the package is signed with an untrusted certificate or the trusted signers list is misconfigured in nuget.config.
generic中文
NuGet 包签名验证失败,因为包使用不受信任的证书签名,或 nuget.config 中的受信任签名者列表配置错误。
Official Documentation
https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3018Workarounds
-
85% success Add the package's signing certificate to trusted signers with proper certificate fingerprint verification.
Add the package's signing certificate to trusted signers with proper certificate fingerprint verification.
-
75% success Disable signature validation for specific package sources in nuget.config by setting signatureValidationMode to 'accept' only for that source.
Disable signature validation for specific package sources in nuget.config by setting signatureValidationMode to 'accept' only for that source.
-
80% success Use NuGet's repository signature verification by adding the repository's service index as trusted signer.
Use NuGet's repository signature verification by adding the repository's service index as trusted signer.
中文步骤
Add the package's signing certificate to trusted signers with proper certificate fingerprint verification.
Disable signature validation for specific package sources in nuget.config by setting signatureValidationMode to 'accept' only for that source.
Use NuGet's repository signature verification by adding the repository's service index as trusted signer.
Dead Ends
Common approaches that don't work:
-
95% fail
Setting signatureValidationMode to 'accept' globally reduces security and may violate organizational policy.
-
90% fail
Removing all trusted signers from nuget.config still requires package to be signed by a trusted root.
-
80% fail
Adding the package author's certificate as trusted signer without verifying chain can still fail if certificate is revoked.