Open
Description
According to dotnet docs, verification is enabled by default from dotnet 8 onwards. However, we are seeing warnings on CI indicating that this is simply not the case.
Below is the command in one of the debian dotnet dockerfile and the related warning in the CI.
dotnet workload install android wasm-tools wasm-tools-net6 wasm-tools-net7#15 10.52 Skipping NuGet package signature verification.
#15 10.52 Skipping NuGet package signature verification.
#15 10.52 Skipping NuGet package signature verification.
#15 10.53 Skipping NuGet package signature verification.
#15 10.53 Skipping NuGet package signature verification.
#15 10.53 Skipping NuGet package signature verification.
#15 10.53 Skipping NuGet package signature verification.
#15 10.53 Skipping NuGet package signature verification.
#15 10.53 Skipping NuGet package signature verification.
#15 11.73 Installing workload manifest microsoft.net.sdk.android version 35.0.61...
#15 12.08 Installing workload manifest microsoft.net.sdk.ios version 18.4.9288...
#15 12.34 Installing workload manifest microsoft.net.sdk.maccatalyst version 18.4.9288...
#15 12.56 Installing workload manifest microsoft.net.sdk.macos version 15.4.9288...
#15 12.79 Installing workload manifest microsoft.net.sdk.maui version 9.0.14...
#15 13.01 Installing workload manifest microsoft.net.sdk.tvos version 18.4.9288...
#15 13.49 Installing pack Microsoft.NET.Runtime.WebAssembly.Sdk version 9.0.4...
We may have to set the environment variable DOTNET_NUGET_SIGNATURE_VERIFICATION=true to resolve the warning, although this might lead to SBOM generation failures for users.