Azure DevOps Pipeline - dotnet restore 包内容哈希验证失败

Question

我在 Azure DevOps 中为我的 Function App 设置了一个构建管道，该管道利用了 nuget 缓存和 package.lock.json 文件。但是，我一直遇到包验证哈希问题，例如：

2020-05-19T04:27:28.6189349Z          Package content hash validation failed for Microsoft.Extensions.DependencyInjection.2.2.0. Expected: ASF77AJjnyi9hL7IJU1KCAvnCTgI3JEwkU+D4gnKd53nFIYpibVjR6SW8tdTkkuZ+QkmIx2rPvKdTMNVPfVU9A== Actual: MZtBIwfDFork5vfjpJdG5g8wuJFt7d/y3LOSVVtDK/76wlbtz6cjltfKHqLx2TKVqTj5/c41t77m1+h20zqtPA==
2020-05-19T04:27:28.6192438Z          Package content hash validation failed for Microsoft.Extensions.DependencyInjection.Abstractions.2.2.0. Expected: 2xMk9LHz1EY+7gVG0lG4qBvkUiVjg8QNPqd2HYmEP5+PL7Ayo96EhBieAhd++Gx4yM+xN8kNqmhZdFMBHeG0HQ== Actual: f9hstgjVmr6rmrfGSpfsVOl2irKAgr1QjrSi3FgnS7kulxband50f2brRLwySAQTADPZeTdow0mpSMcoAdadCw==
2020-05-19T04:27:28.6204563Z          Package content hash validation failed for runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl.4.3.0. Expected: c3YNH1GQJbfIPJeCnr4avseugSqPrxwIqzthYyZDN6EuOyNOzq+y2KSUfRcXauya1sF4foESTgwM5e1A8arAKw== Actual: LdIvj7Bi2jiaNTqY/ezZGVXHe1KI5fjLSI026O1TjVzsmdgTP/zTF+f3nwHCjwttyhsPBEiswv0PekimPWZwWg==
2020-05-19T04:27:28.6206785Z          Package content hash validation failed for runtime.native.System.IO.Compression.4.3.0. Expected: INBPonS5QPEgn7naufQFXJEp3zX6L4bwHgJ/ZH78aBTpeNfQMtf7C6VrAFhlq2xxWBveIOWyFzQjJ8XzHMhdOQ== Actual: b+V9JC/Ii3sR659flBeaBJww111425tgjcDS1k+hqV4sGh9FALRDBvJnDtQ895gAzpPTUOFDHdqaZ2Et7BpZMg==
2020-05-19T04:27:28.6208732Z          Package content hash validation failed for runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.Apple.4.3.0. Expected: kVXCuMTrTlxq4XOOMAysuNwsXWpYeboGddNGpIgNSZmv1b6r/s/DPk0fYMB7Q5Qo4bY68o48jt4T4y5BVecbCQ== Actual: Kh9W4agE0r/hK8AX1LvyQI2NrKHBL8pO0gRoDTdDb0LL6Ta1Z2OtFx3lOaAE0ZpCUc/dt9Wzs3rA7a3IsKdOVA==
2020-05-19T04:27:28.6210819Z          Package content hash validation failed for runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl.4.3.0. Expected: ytoewC6wGorL7KoCAvRfsgoJPJbNq+64k2SqW6JcOAebWsFUvCCYgfzQMrnpvPiEl4OrblUlhF2ji+Q1+SVLrQ== Actual: JGc0pAWRE8lB4Ucygk2pYSKbUPLlAIq6Bczf5/WF2D/VKJEPtYlVUMxk8fbl1zRfTWzSHi+VcFZlaPlWiNxeKg==
2020-05-19T04:27:28.6212827Z          Package content hash validation failed for System.Collections.Specialized.4.3.0. Expected: Epx8PoVZR0iuOnJJDzp7pWvdfMMOAvpUo95pC4ScH2mJuXkKA2Y4aR3cG9qt2klHgSons1WFh4kcGW7cSXvrxg== Actual: NoPBj0ykejqAWW4p4gGtrrL+3c84ZLSvGnHgq422ew1Rj4WKj1FA8/BCybqC111EtgcqUl6ZJNFYYS22HLgbjA==
2020-05-19T04:27:28.6214917Z          Package content hash validation failed for System.ComponentModel.Annotations.4.4.0. Expected: wohleA9W059afFBm49G4cNZJiPK5KShuC+fWxMp3wiugD/aYL7n9zmtvv8wQlh8brOca0GGROSBnz77dtwJbXQ== Actual: 29K3DQ+IGU7LBaMjTo7SI7T7X/tsMtLvz1p56LJ556Iu0Dw3pKZw5g8yCYCWMRxrOF0Hr0FU0FwW0o42y2sb3A==
2020-05-19T04:27:28.6216955Z          Package content hash validation failed for System.Runtime.Serialization.Json.4.3.0. Expected: Ma/DVHfRcOcgQFHVGafUrT7hT1IitsnmUjpNZG5xJCYrI/8wfaYKGYNZycxQyl9Nk+9IAJiMJE6RFuavRQ2WEg== Actual: CpVfOH0M/uZ5PH+M9+Gu56K0j9lJw3M+PKRegTkcrY/stOIvRUeonggxNrfBYLA5WOHL2j15KNJuTuld3x4o9w==
2020-05-19T04:27:28.6218738Z          Package content hash validation failed for System.Runtime.Serialization.Primitives.4.3.0. Expected: Wz+0KOukJGAlXjtKr+5Xpuxf8+c8739RI1C+A2BoQZT+wMCCoMDDdO8/4IRHfaVINqL78GO8dW8G2lW/e45Mcw== Actual: 2Z5t70a2SwMsfQDp9KOclaZNyQhfIga2gppq9lIUDM1A4ohTshn4JqT7ir8bvIhXgorWKYDAr6rPzEbi/nTGKg==
2020-05-19T04:27:28.6220596Z          Package content hash validation failed for System.Security.Cryptography.Csp.4.3.0. Expected: X4s/FCkEUnRGnwR3aSfVIkldBmtURMhmexALNTwpjklzxWU7yjMk7GHLKOZTNkgnWnE0q7+BCf9N2LVRWxewaA== Actual: yO2k5o+Z+DiFRBvvB9vdRRAGHi6bm02M9OWXfCqQ8K0UxD3Woc3svQheZfb7PoTEFs0kGacO0IzzMWsb6Mkeow==
2020-05-19T04:27:28.6225350Z          Package content hash validation failed for System.Security.Cryptography.OpenSsl.4.3.0. Expected: h4CEgOgv5PKVF/HwaHzJRiVboL2THYCou97zpmhjghx5frc7fIvlkY1jL+lnIQyChrJDMNEXS6r7byGif8Cy4w== Actual: vOYy7Jv9KsG3ld2hLt0GoERd82SZi4BelrbXLwI9yFBYX7kpbvUCWYo4eyevk47cuJXZ9ZLVAryANcc7iY71aA==

从概念上讲，我知道它们正在发生，因为当我添加/更新包时，我的机器放入锁定文件中的内容散列与构建代理（windows-latest）正在计算的不同。但为什么它们不同呢？

除了 c/p 构建代理在锁定文件中寻找的哈希值之外，我该如何解决这个问题？我目前安装了最新的 VS 2019 Enterprise (16.5.5)。

此外，如果有帮助，这里是我正在使用的 yml 文件/

name: $(Date:yyyy.MMdd)$(Rev:.r)

trigger:
  batch: true
  branches:
    include:
      - deploy/ConfigurationAPI
  paths:
    include:
      - server/functions/ConfigurationAPI/*

variables:
  NUGET_PACKAGES: $(Pipeline.Workspace)/.nuget/packages
  ArtifactName: BuildResult
  AzureSubscription: StellaNovaAzureResources
  FunctionName: stellanovaconfigurationapi
  ResourceGroupName: Shared-ResourceGroup-WestUS
  SlotName: deployment

stages:
  - stage: Build
    jobs:
      - job: BuildApp
        displayName: Build ConfigurationAPI
        pool:
          vmImage: 'windows-latest'

        steps:
          - task: Cache@2
            displayName: Cache NuGet packages
            inputs:
              path: $(NUGET_PACKAGES)
              key: 'nuget | "$(Agent.OS)" | **/packages.lock.json,!**/bin/**'
              restoreKeys: nuget | "$(Agent.OS)"
              cacheHitVar: CACHE_RESTORED

          - task: DotNetCoreCLI@2
            displayName: Restore NuGet packages
            inputs:
              command: restore
              arguments: '--locked-mode --packages $(NUGET_PACKAGES)'
              projects: 'server/functions/ConfigurationAPI/ConfigurationAPI.csproj'

          - task: DotNetCoreCLI@2
            displayName: Build Function
            inputs:
              command: publish
              arguments: '--configuration Release --no-restore --output buildoutput'
              projects: 'server/functions/ConfigurationAPI/ConfigurationAPI.csproj'
              publishWebProjects: false
              modifyOutputPath: false
              zipAfterPublish: false

          - task: PublishSymbols@2
            displayName: Publish Symbols
            inputs:
              SearchPattern: '**/bin/**/*.pdb'
              SymbolServerType: 'TeamServices'
              SymbolsProduct: 'StellaNova.ConfigurationAPI'
              DetailedLog: false

          - task: ArchiveFiles@2
            inputs:
              rootFolderOrFile: '$(System.DefaultWorkingDirectory)/buildoutput'
              includeRootFolder: false
              archiveFile: '$(System.DefaultWorkingDirectory)/$(Build.BuildNumber).zip'

          - publish: $(System.DefaultWorkingDirectory)/$(Build.BuildNumber).zip
            artifact: $(ArtifactName)

  - stage: Release
    condition: ne(variables['Build.Reason'], 'PullRequest')
    jobs:
      - job: DeployApp
        displayName: Deploy ConfigurationAPI
        pool:
          vmImage: 'windows-latest'

        steps:
          - download: current
            artifact: BuildResult

          - task: AzureFunctionApp@1
            displayName: Deploy to slot
            inputs:
              azureSubscription: '$(AzureSubscription)'
              resourceGroupName: '$(ResourceGroupName)'
              appType: functionApp
              appName: '$(FunctionName)'
              deployToSlotOrASE: true
              slotName: '$(SlotName)'
              package: '$(Pipeline.Workspace)/$(ArtifactName)/$(Build.BuildNumber).zip'
              appSettings: -RefreshSentinelKey RefreshSentinel -AppEnvironment DEV

Answer 1

这是因为在不同的操作系统上散列函数的实现不同。

请在GitHub 上查看这个建议的解决方案。

您也可以在我的blog 中了解此内容。我决定在主机代理上创建锁定 json 文件并发布它并签入源代码管理。我知道这是一项大量的工作。但我真的希望每次都不像 GitHub 解决方案中那样生成相同的文件。

Answer 2

当包的来源实际上不同时，也会发生这种情况。就我而言，它发生在从本地 NuGet 包源切换到托管在 Azure DevOps 中的包源时。我的本地计算机仍在使用旧源，而 Azure DevOps 构建使用新源。

从 Visual Studio 中删除本地源并清除 NuGet 缓存解决了该问题（在将新生成的 packages.lock.json 文件签入到源代码管理之后）。

希望这对将来的某人有所帮助。