[Bug 59360] New: [Question] How to import Root Certificates for dotnet
http://bugs.winehq.org/show_bug.cgi?id=59360 Bug ID: 59360 Summary: [Question] How to import Root Certificates for dotnet Product: Wine Version: 11.0 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs@list.winehq.org Reporter: raisumiero@gmail.com Distribution: --- I struggle with importing root certificates. I am on Ubuntu 24.04 (openssl 3.0.x) I use official wine stable 11.0 I created a new prefix and installed dotnet 6, dotnet 8, dotnet 9. I installed a tool that runs "dotnet build". dotnet downloads nuget packages. dotnet checks with the root certificates and finds the timestamp is outdated (NU3037 and NU3028). I found out that dotnet does not use Linux root certificates for verification but the root certificates managed by crypt32. I opened up control.exe and checked the certificates. Here I found no root certificates. I tried to convert certificates with openssl from Ubuntu from api.nuget.org directly (pem format -> cer format). The import mechanism of the root certificates fails with "unknown format". My question is: How do the cer format differ between openssl and the format that is used by wine for importing root certificates? How do I import ROOT certificates into wine so I can run dotnet without certificates error ? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59360 --- Comment #1 from Ninoumier <raisumiero@gmail.com> --- I rechecked and found that the root certificates from my system are there. So this is weird because they were gone yesterday. But the errors remain. dotnet is not accepting the root certificates. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59360 --- Comment #2 from Hans Leidekker <hans@meelstraat.net> --- Can you provide minimal steps to reproduce the problem? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59360 --- Comment #3 from Ninoumier <raisumiero@gmail.com> --- 1. Install dotnet 6 desktop runtime, dotnet 8 desktop runtime (I used winetricks) 2. Install dotnet 6 sdk, dotnet 8 sdk https://dotnet.microsoft.com/en-us/download/dotnet/6.0 https://dotnet.microsoft.com/en-us/download/dotnet/8.0 3. Download code from https://github.com/theSkyseS/Engarde-Synthesis-Patcher 4. Build ("dotnet build" should work from the main folder) This should build the project but I get nuget certificate error NU3037 and NU3028. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59360 --- Comment #4 from Ninoumier <raisumiero@gmail.com> --- A kind of workaround to fix the issue is to: 1. On Linux side create a link between /home/myuser/.nuget/packages -> /path/to/prefix/drive_c/user/myuser/.nuget/ 2. On Linux switch into the git folder with project like /path/to/prefix/drive_c/user/myuser/projects/git/... 3. dotnet restore This fixes the root certificate issue for me and afterwards I can build any project requiring nuget (not only the one that failed before). -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59360 --- Comment #5 from Hans Leidekker <hans@meelstraat.net> --- It fails because a root CA is missing on Linux (VeriSign Universal Root Certificate Authority). It has been removed in 2021 which also affected the Linux dotnet port: https://devblogs.microsoft.com/dotnet/net-5-nuget-restore-failures-on-linux-... Another workaround is to export that certificate from a Windows machine and import in Wine. It works for me if I export it as 'Base-64 encoded X.509 (.CER)'. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59360 Louis Lenders <xerox.xerox2000x@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xerox.xerox2000x@gmail.com --- Comment #6 from Louis Lenders <xerox.xerox2000x@gmail.com> --- *** Bug 58564 has been marked as a duplicate of this bug. *** -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59360 --- Comment #7 from Hans Leidekker <hans@meelstraat.net> --- It's kind of surprising that MS still ships this root given the long list of issues: https://wiki.mozilla.org/CA/Symantec_Issues While we could technically include it in Wine I don't think we don't want to go against the decision made by browser makers and distributions to protect their users. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59360 --- Comment #8 from Austin English <austinenglish@gmail.com> --- (In reply to Hans Leidekker from comment #7)
It's kind of surprising that MS still ships this root given the long list of issues:
https://wiki.mozilla.org/CA/Symantec_Issues
While we could technically include it in Wine I don't think we don't want to go against the decision made by browser makers and distributions to protect their users.
Yes, but seems like something good to document on the wiki (as this certainly affects multiple applications). -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla