NU3018
dotnet
install_error
ai_generated
true
错误 NU3018: 来自源 'nuget.org' 的包 'PackageName 1.0.0' 未由受信任的签名者签名。
error NU3018: Package 'PackageName 1.0.0' from source 'nuget.org' is not signed by a trusted signer.
ID: dotnet/nuget-package-signature-verification
85%修复率
83%置信度
1证据数
2023-09-12首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| NuGet 5.11.x | active | — | — | — |
| NuGet 6.0.x | active | — | — | — |
| NuGet 6.3.x | active | — | — | — |
| NuGet 6.4.x | active | — | — | — |
根因分析
NuGet 包签名验证失败,因为包使用不受信任的证书签名,或 nuget.config 中的受信任签名者列表配置错误。
English
NuGet package signature verification fails because the package is signed with an untrusted certificate or the trusted signers list is misconfigured in nuget.config.
官方文档
https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3018解决方案
-
Add the package's signing certificate to trusted signers with proper certificate fingerprint verification.
-
Disable signature validation for specific package sources in nuget.config by setting signatureValidationMode to 'accept' only for that source.
-
Use NuGet's repository signature verification by adding the repository's service index as trusted signer.
无效尝试
常见但无效的做法:
-
95% 失败
Setting signatureValidationMode to 'accept' globally reduces security and may violate organizational policy.
-
90% 失败
Removing all trusted signers from nuget.config still requires package to be signed by a trusted root.
-
80% 失败
Adding the package author's certificate as trusted signer without verifying chain can still fail if certificate is revoked.