Problem resolving Nuget Packages in Devops Build Agent due to Certificate issues

Question

We are hosting DevOps Server on Premise with one Build Agent. The Build agent behave strange if i start running NuGet restore against .NET 5.0 Project. In special against a Test Project Template from VS2019 (MS-Test Testproject). As soon as i run the Nuget restore it failed with a loot of 'NU3028' 'NU3034' 'NU3037' issues. I already updated the nuget.config but it looks like nothing is working.

OS: Windows Server 2019 V.1809 Build 17763.2300

Devops: Azure DevOps Server 2020 Update 1.1 V. 18.181.31626.1

Nuget: 6.0.0 (x64)

Devops Pipe: Devops Pipe

Output: Pipe Output

Nuget.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
    <add key="VollmerPackages" value="https://devops/Vollmer/_packaging/VollmerPackages/nuget/v3/index.json" />
  </packageSources>
<trustedSigners>
  <author name="Microsoft">
    <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </author>
  <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
    <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </repository>
</trustedSigners>
</configuration>

if i run Nuget restore local on my VS PC, the restore runs without any errors. If i run it on the build agent server there are tons of certificate issues.

CMD output Nuget restore (build agent server):

    Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': Signature Hash Algorithm: SHA256
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': Signature Hash Algorithm: SHA256
NU3034: Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json':
Signature type: Repository
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': Service index: https://api.nuget.org/v3/index.json
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': Owners: dotnetframework, Microsoft
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': Verifying the repository primary signature with certificate:

Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json':   Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
NU3034: Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json':
Signature type: Repository
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': Service index: https://api.nuget.org/v3/index.json
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json':   SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json':   SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json':   Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json':   Valid from: 10.04.2018 02:00:00 to 14.04.2021 14:00:00
NU3037: Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': The repository primary signature validity period has expired.
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': Owners: dotnetframework, Microsoft
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': Verifying the repository primary signature with certificate:

Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json':   Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json':   SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json':   SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json':   Issued by: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json':   Valid from: 10.04.2018 02:00:00 to 14.04.2021 14:00:00
NU3037: Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': The repository primary signature validity period has expired.
Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': Timestamp: 05.10.2018 16:36:21

Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': Verifying repository primary signature's timestamp with timestamping service certificate:
  Subject Name: CN=Symantec SHA256 TimeStamping Signer - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SHA1 hash: 625AEC3AE4EDA1D169C4EE909E85B3BBC61076D3
  SHA256 hash: CF7AC17AD047ECD5FDC36822031B12D4EF078B6F2B4C5E6BA41F8FF2CF4BAD67
  Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 02.01.2017 01:00:00 to 02.04.2028 01:59:59

NU3028: Package 'runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': The repository primary signature's timestamping certificate is not trusted by the trust provider.
Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': Timestamp: 13.12.2018 23:56:51

Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': Verifying repository primary signature's timestamp with timestamping service certificate:
  Subject Name: CN=Symantec SHA256 TimeStamping Signer - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SHA1 hash: 625AEC3AE4EDA1D169C4EE909E85B3BBC61076D3
  SHA256 hash: CF7AC17AD047ECD5FDC36822031B12D4EF078B6F2B4C5E6BA41F8FF2CF4BAD67
  Issued by: CN=Symantec SHA256 TimeStamping CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Valid from: 02.01.2017 01:00:00 to 02.04.2028 01:59:59

NU3028: Package 'System.Runtime.Handles 4.0.1' from source 'https://api.nuget.org/v3/index.json': The repository primary signature's timestamping certificate is not trusted by the trust provider.
Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json': Signature Hash Algorithm: SHA256
NU3034: Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.
Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json':
Signature type: Repository
Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json': Service index: https://api.nuget.org/v3/index.json
Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json': Owners: dotnetframework, Microsoft
Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json': Verifying the repository primary signature with certificate:

Package 'runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': Signature Hash Algorithm: SHA256
Package 'System.Threading.Tasks.Extensions 4.0.0' from source 'https://api.nuget.org/v3/index.json': Signature Hash Algorithm: SHA256
NU3034: Package 'System.Threading.Tasks.Extensions 4.0.0' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.
Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json': Signature Hash Algorithm: SHA256
Package 'System.IO.FileSystem 4.0.1' from source 'https://api.nuget.org/v3/index.json': Signature Hash Algorithm: SHA256
NU3034: Package 'System.IO.FileSystem 4.0.1' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.
Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json':   Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
NU3034: Package 'runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.0' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.
Package 'System.Threading.Tasks.Extensions 4.0.0' from source 'https://api.nuget.org/v3/index.json':
Signature type: Repository
NU3034: Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.
Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json':
Signature type: Repository
Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json': Service index: https://api.nuget.org/v3/index.json
Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json': Owners: dotnetframework, Microsoft
Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json': Verifying the repository primary signature with certificate:

Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json':   Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json':   SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
Package 'System.IO.FileSystem.Primitives 4.0.1' from source 'https://api.nuget.org/v3/index.json':   SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json':   SHA1 hash: 8FB6D7FCF7AD49EB774446EFE778B33365BB7BFB
Package 'System.Diagnostics.Tools 4.0.1' from source 'https://api.nuget.org/v3/index.json':   SHA256 hash: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
Package 'System.IO.FileSystem 4.0.1' from source 'https://api.nuget.org/v3/index.json':
Signature type: Repository
Package 'System.IO.FileSystem 4.0.1' from source 'https://api.nuget.org/v3/index.json': Service index: https://api.nuget.org/v3/index.json
Package 'System.IO.FileSystem 4.0.1' from source 'https://api.nuget.org/v3/index.json': Owners: dotnetframework, Microsoft
Package 'System.IO.FileSystem 4.0.1' from source 'https://api.nuget.org/v3/index.json': Verifying the repository primary signature with certificate:
....

Any suggestions would be greatly appreciated

Btw it doesn't even change if i use dotnet restore insted of nuget restore. both behave same on server. Latest SDK 6.0.100 is installed on build server....

UPDATE: Found a way to ignore all upcomming Issues relating the Certificates by add all SHA256 fingerprints to 'trustedSigners' block and by setting the 'allowUntrustedRott' to true, i ignore the errors and the packages getting installed. This is still an ugly workaround dealing with untrusted Certificates but it's the only possibility i figured out so far.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
      <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
      
    </packageSources>
    <config>
      <add key="signatureValidationMode" value="accept" />
    </config>
    <packageRestore>
        <add key="enabled" value="True" />
        <add key="automatic" value="True" />
    </packageRestore>
    <trustedSigners>
      <author name="Microsoft">
        <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
        <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      </author>
      <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
        <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
        <certificate fingerprint="5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
        <certificate fingerprint=" CF7AC17AD047ECD5FDC36822031B12D4EF078B6F2B4C5E6BA41F8FF2CF4BAD67" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
        <certificate fingerprint="C474CE76007D02394E0DA5E4DE7C14C680F9E282013CFEF653EF5DB71FDF61F8" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
      </repository>
    </trustedSigners>
</configuration>

Answer 1

The Issuer of the Symantec SHA256 TimeStamping Signer - G2, is her: https://crt.sh/?q=Symantec+SHA256+TimeStamping+CA and was issued itself by https://crt.sh/?caid=1110

Put the first one in the ROOT store of the LocalMachine and the second on in IntermediateCA.

Seems like the CTLs updates are disabled: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)