The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

Update: Check this announcement: https://github.com/NuGet/Announcements/issues/49

At the moment the issue appears to be related to the Debian image.

Switch to an Ubuntu or Alpine based image instead:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build-env

Follow https://github.com/NuGet/Home/issues/10491 for updates.


In the Dockerfile file, I changed from

FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim

to

FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine

This worked for me!


Short answer

Replace mcr.microsoft.com/dotnet/sdk:latest

With mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim-amd64

Once they officially patch the certificate issue, go back to :latest.

Long answer

This is because of an issue in the Debian docker image you are using: mcr.microsoft.com/dotnet/sdk:latest

The :latest tag is using a Debian image (5.0.102-1-buster-slim-amd64) and Debian released a patch that generated certificate issues.

The NuGet team published new pre-release Debian images that mitigate the ca-certificate issue. See the open issue & image replacements workarounds here:

https://github.com/NuGet/Announcements/issues/49#issuecomment-768766265

Later on they'll publish the release version of SDK images (once the Debian ca-certificates package is released in Debian 10 Buster).

Using the :focal tag (Ubuntu) might solve the issue for your .NET app as well, although you must consider you are not using Debian anymore.

LATEST UPDATE: Microsoft published patched docker images using the conventional tags like sdk:5.0. It is safe to revert from :5.0.102-ca-patch-buster-slim-amd64 to :5.0