DevOps Pipeline suddenly failing to access artifacts nuget feed. Unauthorised

Question

I have a problem that has randomly started happening today whereby all my DevOps Pipelines can no longer access my NuGet feed, which is a DevOps Artifact.

I have a task that is responsible for installing AzureSignTool, below is the YAML for that. I am using the windows-latest image on a Microsoft hosted agent.

- task: CmdLine@2
  displayName: 'Install AzureSignTool'
  inputs:
    script: |
      set DOTNET_SKIP_FIRST_TIME_EXPERIENCE=true
      dotnet tool install --global AzureSignTool --version 4.0.1

This is the task that is failing with the following error.

Unhandled exception: NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source . ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).

I have checked the permisisons on the feed and I can confirm that Project\Build Administrators are set as owners.

I have also tried various other things including changing the version of NuGet on the agent, changing the version of AzureSignTool etc.

What permissions / settings should I check?

Update

So I moved the RestoreNuGetPackages task before the InstallAzureSignTool and this task succeeds, so clearly it can authenticate without issue.

However the task still fails. I have even added the --ignore-failed-sources but this had no effect.

The error message has changed, but the underlying issue is the same.

[NuGet Manager] [Info] GET https://api.nuget.org/v3/registration5-gz-semver2/azuresigntool/index.json

[NuGet Manager] [Info] GET https://{ORG}.pkgs.visualstudio.com/_packaging/{GUID}/nuget/v3/registrations2-semver2/azuresigntool/index.json

[NuGet Manager] [Info] Unauthorized https://{ORG}.pkgs.visualstudio.com/_packaging/{GUID}/nuget/v3/registrations2-semver2/azuresigntool/index.json 767ms

[NuGet Manager] [Info] OK https://api.nuget.org/v3/registration5-gz-semver2/azuresigntool/index.json 1010ms

Unhandled exception: System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()

Further update

Switching image from windows-latest to windows-2019 has resolved the problem so whatever changes Microsoft have done to the latest image are problematic. However this is not an ideal solution as we have VS2022 paths for TextTransform in the project file so the build fails later in the process.

How can I raise this issue with the appropriate team at Microsoft?

Answer 1

Okay I have a found a workaround, not a solution as this is an Microsoft issue for sure with the agent image.

I have added a separate NuGet config file with no other feeds in and I pass that file as an argument to the dotnet tool install command line task. Full YAML of the task provided below.

Also to note the --ignore-failed-sources argument which according to the docs here should Treat package source failures as warnings. I think should be enough on its own, but this appear did not work, so potentially another Microsoft issue.

#Temporarily added a seperate config file due to issues with windows-latest image.
#The ignore-failed-sources argument does not appear to function correctly.
- task: CmdLine@2
  displayName: 'Install AzureSignTool'
  inputs:
    script: |
      set DOTNET_SKIP_FIRST_TIME_EXPERIENCE=true
      dotnet tool install --global AzureSignTool --version 4.0.1 --ignore-failed-sources -v d --configfile NuGetTemp.config

UPDATE:

I also found another work around, after comparing the recent changes in the image, it appears changes were made to add .NET 8, so changing the pipeline back to use .NET 6 / .NET 7 also fixed the Install AzureSignTool task. My project is .NET Framework so there were no other drawbacks to this change. Below is an example of the task added.

- task: UseDotNet@2
  inputs:
    packageType: 'sdk'
    version: '7.x'

Answer 2

@RyanThomas, thanks for letting us know it works after changing agent from Windows-latest to Windows-2019, and the workaround shared with --ignore-failed-sources.

However, i tried to follow your steps, and the task is working with Windows-latest agent on my side， please check the details below:

Step1: Add nuget.config, i added DevOps feed, public nuget source and credential inside.

Step2: I created yaml with nuget restore task before AzureSignTool install.

steps:
- task: NuGetToolInstaller@1
  inputs:
    versionSpec: 
    checkLatest: true

- task: NuGetCommand@2
  displayName: nuget restore
  inputs:
    command: 'restore'
    restoreSolution: '$(solution)'
    feedsToUse: 'config'
    nugetConfigPath: 'nuget.config'


- task: CmdLine@2
  displayName: 'Install AzureSignTool'
  inputs:
    script: |
      set DOTNET_SKIP_FIRST_TIME_EXPERIENCE=true
      dotnet tool install --global AzureSignTool --version 4.0.1

Check the image used in pipeline log, the image is fv started, and version is 20231115.2.0, please check if it's same with yours.

And please try to add the credential in nuget.config for a check.

Edit:

Can reproduce the error 401 if i remove credentical on nuget.config, and use feed on nuget restore task.

You can report the issue on agent link.

Answer 3

I am having an issue as well suddenly. Maybe this can help someone else. I fired off a build on the 10th and it worked just fine then I ran a build yesterday and it failed even though I had no code changes or settings changed either.

My issue was: Unable to load the service index for source. This was due unauthorized access to the URL specified in the nuget.config because the implicit restore that takes place in the publish task cannot access authorized feeds. (Weird, since it was working before.) Although, I did notice that there was a change recently pushed to the virtual machine image I'm using (windows-latest).

My workaround was to add --no-restore argument to the publish task and add a explicit restore task prior to the publish task. It builds fine now.

Here is what those two steps look like now.

- task: DotNetCoreCLI@2
  inputs:
    command: 'restore'
    projects: '**/*.csproj'
    feedsToUse: 'select'
    vstsFeed: '{yourFeed}'

- task: DotNetCoreCLI@2
  displayName: 'Publish Artifact: {websiteName}'
  inputs:
    command: 'publish'
    publishWebProjects: true
    arguments: '--no-restore'

Here is what I had before:

  - task: DotNetCoreCLI@2
      displayName: 'Publish Artifact: {websiteName}'
      inputs:
        command: 'publish'
        publishWebProjects: true

Answer 4

I wasn't keen on entering credentials in the Nuget.Config file as suggested by @wade-zhou-msft so instead I removed the reference to the "problematic" NuGet feed altogether.

The NuGet.Config file I edited was: %appdata%\NuGet\NuGet.Config

Our pipeline was falling over the 'Install Azure SignTool' step as it was trying to access our Artifacts Feed. The point is, it shouldn't have to do that at this step, since it's restoring the required NuGet packages for the solution right after:

Answer 5

I encountered this problem when I upgraded a project from .Net6 to .Net8. My workaround uses two Nuget.Config files. The productive standard Nuget.Config file and a SimpleNuget.Config file just for installing/updating the AzureSignTool. The SimpleNuget.Config file is contained in the same folder as the SimpleNuget.Config file.

The '--configfile' argument selects the nuget config file that should be used.

- task: DotNetCoreCLI@2
  displayName: 'Update Azure SignTool'
  inputs:
    command: custom
    custom: tool
    arguments: 'update --global AzureSignTool --version 4.0.1 --configfile SimpleNuget.Config'
  continueOnError: true

My SimpleNuget.Config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>
</configuration>