Azure DevOps 管道 - dotnet restore Package 內容 Hash 驗證失敗

Question

I have setup a build pipeline in Azure DevOps for my Function App that takes advantage of nuget caching and thus the package.lock.json file. 但是，我一直遇到 package 驗證 hash 問題，例如：

2020-05-19T04:27:28.6189349Z          Package content hash validation failed for Microsoft.Extensions.DependencyInjection.2.2.0. Expected: ASF77AJjnyi9hL7IJU1KCAvnCTgI3JEwkU+D4gnKd53nFIYpibVjR6SW8tdTkkuZ+QkmIx2rPvKdTMNVPfVU9A== Actual: MZtBIwfDFork5vfjpJdG5g8wuJFt7d/y3LOSVVtDK/76wlbtz6cjltfKHqLx2TKVqTj5/c41t77m1+h20zqtPA==
2020-05-19T04:27:28.6192438Z          Package content hash validation failed for Microsoft.Extensions.DependencyInjection.Abstractions.2.2.0. Expected: 2xMk9LHz1EY+7gVG0lG4qBvkUiVjg8QNPqd2HYmEP5+PL7Ayo96EhBieAhd++Gx4yM+xN8kNqmhZdFMBHeG0HQ== Actual: f9hstgjVmr6rmrfGSpfsVOl2irKAgr1QjrSi3FgnS7kulxband50f2brRLwySAQTADPZeTdow0mpSMcoAdadCw==
2020-05-19T04:27:28.6204563Z          Package content hash validation failed for runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl.4.3.0. Expected: c3YNH1GQJbfIPJeCnr4avseugSqPrxwIqzthYyZDN6EuOyNOzq+y2KSUfRcXauya1sF4foESTgwM5e1A8arAKw== Actual: LdIvj7Bi2jiaNTqY/ezZGVXHe1KI5fjLSI026O1TjVzsmdgTP/zTF+f3nwHCjwttyhsPBEiswv0PekimPWZwWg==
2020-05-19T04:27:28.6206785Z          Package content hash validation failed for runtime.native.System.IO.Compression.4.3.0. Expected: INBPonS5QPEgn7naufQFXJEp3zX6L4bwHgJ/ZH78aBTpeNfQMtf7C6VrAFhlq2xxWBveIOWyFzQjJ8XzHMhdOQ== Actual: b+V9JC/Ii3sR659flBeaBJww111425tgjcDS1k+hqV4sGh9FALRDBvJnDtQ895gAzpPTUOFDHdqaZ2Et7BpZMg==
2020-05-19T04:27:28.6208732Z          Package content hash validation failed for runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.Apple.4.3.0. Expected: kVXCuMTrTlxq4XOOMAysuNwsXWpYeboGddNGpIgNSZmv1b6r/s/DPk0fYMB7Q5Qo4bY68o48jt4T4y5BVecbCQ== Actual: Kh9W4agE0r/hK8AX1LvyQI2NrKHBL8pO0gRoDTdDb0LL6Ta1Z2OtFx3lOaAE0ZpCUc/dt9Wzs3rA7a3IsKdOVA==
2020-05-19T04:27:28.6210819Z          Package content hash validation failed for runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl.4.3.0. Expected: ytoewC6wGorL7KoCAvRfsgoJPJbNq+64k2SqW6JcOAebWsFUvCCYgfzQMrnpvPiEl4OrblUlhF2ji+Q1+SVLrQ== Actual: JGc0pAWRE8lB4Ucygk2pYSKbUPLlAIq6Bczf5/WF2D/VKJEPtYlVUMxk8fbl1zRfTWzSHi+VcFZlaPlWiNxeKg==
2020-05-19T04:27:28.6212827Z          Package content hash validation failed for System.Collections.Specialized.4.3.0. Expected: Epx8PoVZR0iuOnJJDzp7pWvdfMMOAvpUo95pC4ScH2mJuXkKA2Y4aR3cG9qt2klHgSons1WFh4kcGW7cSXvrxg== Actual: NoPBj0ykejqAWW4p4gGtrrL+3c84ZLSvGnHgq422ew1Rj4WKj1FA8/BCybqC111EtgcqUl6ZJNFYYS22HLgbjA==
2020-05-19T04:27:28.6214917Z          Package content hash validation failed for System.ComponentModel.Annotations.4.4.0. Expected: wohleA9W059afFBm49G4cNZJiPK5KShuC+fWxMp3wiugD/aYL7n9zmtvv8wQlh8brOca0GGROSBnz77dtwJbXQ== Actual: 29K3DQ+IGU7LBaMjTo7SI7T7X/tsMtLvz1p56LJ556Iu0Dw3pKZw5g8yCYCWMRxrOF0Hr0FU0FwW0o42y2sb3A==
2020-05-19T04:27:28.6216955Z          Package content hash validation failed for System.Runtime.Serialization.Json.4.3.0. Expected: Ma/DVHfRcOcgQFHVGafUrT7hT1IitsnmUjpNZG5xJCYrI/8wfaYKGYNZycxQyl9Nk+9IAJiMJE6RFuavRQ2WEg== Actual: CpVfOH0M/uZ5PH+M9+Gu56K0j9lJw3M+PKRegTkcrY/stOIvRUeonggxNrfBYLA5WOHL2j15KNJuTuld3x4o9w==
2020-05-19T04:27:28.6218738Z          Package content hash validation failed for System.Runtime.Serialization.Primitives.4.3.0. Expected: Wz+0KOukJGAlXjtKr+5Xpuxf8+c8739RI1C+A2BoQZT+wMCCoMDDdO8/4IRHfaVINqL78GO8dW8G2lW/e45Mcw== Actual: 2Z5t70a2SwMsfQDp9KOclaZNyQhfIga2gppq9lIUDM1A4ohTshn4JqT7ir8bvIhXgorWKYDAr6rPzEbi/nTGKg==
2020-05-19T04:27:28.6220596Z          Package content hash validation failed for System.Security.Cryptography.Csp.4.3.0. Expected: X4s/FCkEUnRGnwR3aSfVIkldBmtURMhmexALNTwpjklzxWU7yjMk7GHLKOZTNkgnWnE0q7+BCf9N2LVRWxewaA== Actual: yO2k5o+Z+DiFRBvvB9vdRRAGHi6bm02M9OWXfCqQ8K0UxD3Woc3svQheZfb7PoTEFs0kGacO0IzzMWsb6Mkeow==
2020-05-19T04:27:28.6225350Z          Package content hash validation failed for System.Security.Cryptography.OpenSsl.4.3.0. Expected: h4CEgOgv5PKVF/HwaHzJRiVboL2THYCou97zpmhjghx5frc7fIvlkY1jL+lnIQyChrJDMNEXS6r7byGif8Cy4w== Actual: vOYy7Jv9KsG3ld2hLt0GoERd82SZi4BelrbXLwI9yFBYX7kpbvUCWYo4eyevk47cuJXZ9ZLVAryANcc7iY71aA==

從概念上講，我知道它們正在發生，因為當我添加/更新包時我的機器放入鎖定文件的內容哈希與構建代理（windows-latest）正在計算的不同。 但為什么它們不同呢？

除了 c/p 構建代理正在尋找鎖定文件的哈希值之外，我該如何解決這個問題？ 我目前安裝了最新的 VS 2019 Enterprise (16.5.5)。

此外，如果有幫助，這是我正在使用的 yml 文件/

name: $(Date:yyyy.MMdd)$(Rev:.r)

trigger:
  batch: true
  branches:
    include:
      - deploy/ConfigurationAPI
  paths:
    include:
      - server/functions/ConfigurationAPI/*

variables:
  NUGET_PACKAGES: $(Pipeline.Workspace)/.nuget/packages
  ArtifactName: BuildResult
  AzureSubscription: StellaNovaAzureResources
  FunctionName: stellanovaconfigurationapi
  ResourceGroupName: Shared-ResourceGroup-WestUS
  SlotName: deployment

stages:
  - stage: Build
    jobs:
      - job: BuildApp
        displayName: Build ConfigurationAPI
        pool:
          vmImage: 'windows-latest'

        steps:
          - task: Cache@2
            displayName: Cache NuGet packages
            inputs:
              path: $(NUGET_PACKAGES)
              key: 'nuget | "$(Agent.OS)" | **/packages.lock.json,!**/bin/**'
              restoreKeys: nuget | "$(Agent.OS)"
              cacheHitVar: CACHE_RESTORED

          - task: DotNetCoreCLI@2
            displayName: Restore NuGet packages
            inputs:
              command: restore
              arguments: '--locked-mode --packages $(NUGET_PACKAGES)'
              projects: 'server/functions/ConfigurationAPI/ConfigurationAPI.csproj'

          - task: DotNetCoreCLI@2
            displayName: Build Function
            inputs:
              command: publish
              arguments: '--configuration Release --no-restore --output buildoutput'
              projects: 'server/functions/ConfigurationAPI/ConfigurationAPI.csproj'
              publishWebProjects: false
              modifyOutputPath: false
              zipAfterPublish: false

          - task: PublishSymbols@2
            displayName: Publish Symbols
            inputs:
              SearchPattern: '**/bin/**/*.pdb'
              SymbolServerType: 'TeamServices'
              SymbolsProduct: 'StellaNova.ConfigurationAPI'
              DetailedLog: false

          - task: ArchiveFiles@2
            inputs:
              rootFolderOrFile: '$(System.DefaultWorkingDirectory)/buildoutput'
              includeRootFolder: false
              archiveFile: '$(System.DefaultWorkingDirectory)/$(Build.BuildNumber).zip'

          - publish: $(System.DefaultWorkingDirectory)/$(Build.BuildNumber).zip
            artifact: $(ArtifactName)

  - stage: Release
    condition: ne(variables['Build.Reason'], 'PullRequest')
    jobs:
      - job: DeployApp
        displayName: Deploy ConfigurationAPI
        pool:
          vmImage: 'windows-latest'

        steps:
          - download: current
            artifact: BuildResult

          - task: AzureFunctionApp@1
            displayName: Deploy to slot
            inputs:
              azureSubscription: '$(AzureSubscription)'
              resourceGroupName: '$(ResourceGroupName)'
              appType: functionApp
              appName: '$(FunctionName)'
              deployToSlotOrASE: true
              slotName: '$(SlotName)'
              package: '$(Pipeline.Workspace)/$(ArtifactName)/$(Build.BuildNumber).zip'
              appSettings: -RefreshSentinelKey RefreshSentinel -AppEnvironment DEV

Answer 1

這是因為 hash function 在不同操作系統上的不同實現。

請在GitHub上查看這個建議的解決方案。

您也可以在我的博客中了解這一點。 我決定在主機代理上創建鎖定 json 文件並發布它並簽入源代碼管理。 我知道這是一項大量的工作。 但我真的希望每次都不會生成相同的文件，就像 GitHub 解決方案中介紹的那樣。

Answer 2

當 package 的來源實際上不同時，也會發生這種情況。 在我的情況下，它發生在從本地 NuGet package 源切換到托管在 Azure DevOps 中的源時。 我的本地機器仍在使用舊源，而 Azure DevOps 構建使用新源。

從 Visual Studio 中刪除本地源並清除 NuGet 緩存解決了該問題（在將新生成的packages.lock.json文件簽入到源代碼管理后）。

希望這對將來的某人有所幫助。