It's not possible to push to HTTP sources specified via command line

[kekekeks]

NuGet Product Used

dotnet.exe

Product Version

9.0.102

Worked before?

Worked in .NET 8

Impact

I'm unable to use this version

Repro Steps & Context

We are specifying the local package source in our CI scripts. The URL is only accessible from CI machines and is dynamically selected based on the branch, so it can't be set in NuGet.config file.

We are running dotnet nuget push ./artifacts/packages/**/*.nupkg --api-key *** --source http://1.2.3.4/v3/index.json.
It worked previously, but now complains about HTTP sources on our local network being insecure.

The command suggest using allowInsecureConnections, but it's not possible to set that option via CLI.

Am I missing something or is that use case now broken with .NET 9 SDK?

BTW, why are you requiring an SSL cert for an IP address? How is one even supposed to get one for local IP.

[jebriede]

It looks like the option for --allow-insecure-connections does not exist for the dotnet nuget push command.
Similar to #13396, the consideration would be to add this option to dotnet nuget push.

[Nigusu-Allehu]

dotnet nuget push allows setting up your sources by using your configuration files. In addition, you can also do the same to disable TLS certificate validation.
example

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="src" value="http://test" allowInsecureConnections="true" disableTLSCertificateValidation="true"/>
  </packageSources>
</configuration>

[Nigusu-Allehu]

to learn more about configuration files: https://learn.microsoft.com/en-us/nuget/consume-packages/configuring-nuget-behavior

[koryphaee]

I can confirm this is broken in .NET 9. Pushing to a HTTP NuGet server worked fine in .NET 8 but not anymore.

[Nigusu-Allehu]

dotnet nuget push allows configuration files to define package sources and related settings. You can use these files to specify your source and disable TLS certificate validation. Here’s an example configuration:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="src" value="http://test" allowInsecureConnections="true" disableTLSCertificateValidation="true"/>
  </packageSources>
</configuration>

Similar to the restore command, push also looks for nuget.config files in your environment. If your environment already has a nuget.config file, you can modify it to include your package source with allowInsecureConnections="true" and disableTLSCertificateValidation="true".

To identify the configuration files accessible in your environment, you can run the following command:

dotnet nuget config paths

This will display the list of nuget.config files used by your script. You can edit one of these files to include your source with the required attributes.

When running the dotnet nuget push command, ensure that the --source option uses the key specified in the nuget.config file.

dotnet nuget push *.nupkg --source src

Here, src refers to the key for your package source defined in the nuget.config file example above. This approach eliminates the need to pass additional options via CLI and ensures the configuration is centralized.

[koryphaee]

Yes, I am aware of the configuration file and have set allowInsecureConnections="true" but just like @kekekeks, .NET 9 won't let me push to my HTTP feed. I rolled back to .NET 8 and it's working again.

[Nigusu-Allehu]

Thank you for the quick response! The reason this works in .NET 8 is likely because .NET 8 treats HTTP issues as warnings rather than errors. In .NET 9, however, these have been elevated to errors, though it is still possible to disable them. Based on your response, it seems like you were unable to disable the error using the allowInsecureConnections="true" attribute. To help us determine if this is a bug or expected behavior, could you please provide more details on the following?

1. When you say "won’t let me push," are you encountering any specific errors? If so, could you share the exact error messages?

2. What command are you running? For example, it’s possible that you’re using dotnet nuget push *.nupkg --source srcKey, but srcKey may not be defined as a key in your package sources configuration file.

3. Could you share your configuration file or the relevant part of it? This would help us confirm whether the allowInsecureConnections=true attribute is correctly set.