Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Builds broken because package signature file entry is invalid

See original GitHub issue

As discussed on this appveyor forum, AppVeyor builds recently started breaking for me. Feodor Fitsner kindly came up with a minimal repro that suggests that the .NET Core 2.1 packages on nuget.org have bad signatures.

Repro

Create a test-nuget.csproj file with these contents:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFrameworks>netcoreapp1.0;netcoreapp2.0;netcoreapp2.1</TargetFrameworks>
  </PropertyGroup>
</Project>

Rename or remove your %userprofile%\.nuget\packages folder.

Restore packages for test-nuget.csproj using msbuild:

msbuild /t:restore /p:RestoreDisableParallel=true,TreatWarningsAsErrors=true

This produces these errors:

  Restoring packages for D:\temp\test-nuget\test-nuget.csproj...
<snip/>
  Installing Microsoft.NETCore.DotNetAppHost 2.0.0.
  Installing Microsoft.NETCore.App 2.1.0.
D:\temp\test-nuget\test-nuget.csproj : error NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an in
valid value (8).
  Installing Microsoft.NETCore.DotNetHostPolicy 2.1.0.
D:\temp\test-nuget\test-nuget.csproj : error NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an in
valid value (8).
  Installing Microsoft.NETCore.Platforms 2.1.0.
D:\temp\test-nuget\test-nuget.csproj : error NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an in
valid value (8).
  Installing Microsoft.NETCore.Targets 2.1.0.
D:\temp\test-nuget\test-nuget.csproj : error NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an in
valid value (8).
  Installing NETStandard.Library 2.0.3.
  Installing Microsoft.NETCore.DotNetHostResolver 2.1.0.
D:\temp\test-nuget\test-nuget.csproj : error NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an in
valid value (8).
  Installing Microsoft.NETCore.DotNetAppHost 2.1.0.
D:\temp\test-nuget\test-nuget.csproj : error NU3005: The package signature file entry is invalid. The central directory header field 'compression method' has an in
valid value (8).
  Generating MSBuild file D:\temp\test-nuget\obj\test-nuget.csproj.nuget.g.props.
  Generating MSBuild file D:\temp\test-nuget\obj\test-nuget.csproj.nuget.g.targets.
  Restore failed in 32.27 sec for D:\temp\test-nuget\test-nuget.csproj.

Interestingly, this only repros while there are multiple target frameworks specified. Reducing it to just netcoreapp2.1 eliminates the error.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:12 (11 by maintainers)

github_iconTop GitHub Comments

1reaction
mmitchecommented, Sep 11, 2018

This is really odd. Why would it start now? 2.1.0 is ages old. Was there a change in nuget?

1reaction
nkolev92commented, Sep 11, 2018

Did some digging cause this looks weird, if you do a NuGet.exe verify -signatures on the package, for example Microsoft.NETCore.App 2.1.0, you get the same error message.

This seems to suggest that there is something wrong with this package.

The reason why it fails with multitargetting is because of the fallback folders. When you cross-target 2.x and 1.x, the new fallback folder from C:\Program Files\dotnet\sdk\NuGetFallbackFolder is not used.

When you target 2.x only, then the package is consumed from the fallback folder, instead of downloading it and installing in the global packages folder.

tl;dr;

  • The multi-targeting scenario is by design because NuGet needs to download that package.
  • Rest of it suggests that the package is not signed correctly.

@dtivel @PatoBeltran will be able to give more info on the 2nd one.

Read more comments on GitHub >

github_iconTop Results From Across the Web

NuGet Error NU3005
NuGet client tried to verify a package with a signature file which has an invalid Local File Header. Solution. Please request the package...
Read more >
Clarify steps to solve the issue regarding error NU3005 ...
Clarify steps to solve the issue regarding error NU3005: "The package signature file entry is invalid" which is possible during cloning the ...
Read more >
[SOLVED] invalid or corrupted package (PGP signature)
Delete the files mentioned as being broken and try to redownload them, in doubt change/update your top mirrors to something actively updated.
Read more >
ProGet somehow breaks signed NuGet packages
NU3005 : The package signature file entry is invalid. The central directory header field 'compression method' has an invalid value (8).
Read more >
Invalid signature file digest for Manifest main attributes ...
After build Artifacts, I get a result is a jar file. I rename it to .rar (or .zip) and open it as archive...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

On WSL Ubuntu 18.04 dotnet tool install -g Cake.Tool and Octopus.DotNet.Cli fails

Next page

global tool - appsettings.json