We've been having problems with nuget restores of Microsoft packages on our build server taking an extremely long time. As an example, Microsoft.Extensions.Configuration took 3 minutes to get "added":
[10:16:07] : [restore] Restoring NuGet package Microsoft.Extensions.Configuration.9.0.0.
[10:16:07] : [restore] Adding package 'Microsoft.Extensions.Configuration.9.0.0' to folder 'xxx'
[10:19:38] : [restore] Added package 'Microsoft.Extensions.Configuration.9.0.0' to folder 'xxx'
Whereas a locally developed package took milliseconds as expected (I've hidden the package name):
[10:16:07] : [restore] Restoring NuGet package XYZ.
[10:16:07] : [restore] Adding package 'XYZ' to folder 'xxx'
[10:16:07] : [restore] Added package 'XYZ' to folder 'xxx'
We're seeing this with virtually all Microsoft packages, the result being that a nuget restore with many packages that should take a minute takes almost 20.
Does anyone have any insight into whats happening here? My understanding is that this is basically just an extration of the zip and a local file copy. How could it take so long and why would it be isolated to only these packages?
Some additional information:
Our build server is isolated and has no internet access. I've tried the same nuget commands on my desktop (which has internet access) and all packages - including the Microsoft ones - install in milliseconds. If we turn on temporary internet access for our build server, the problem seems to go away but only for a limited time. A day later, a week later, the long restore times return. Based on this our network team has theorized that perhaps the Microsoft packages are calling out to the internet, maybe a certificate check or revokation ... at any rate, internet access for our build server is no go from a security perspective.
We thought this might be related to disk space or a busy server but I doubt it. I can reproduce the error on other servers which don't have internet access, its limited to Microsoft packages and we see no other disk problems or cpu spikes at any point in the build cycle
I tried running the nuget steps with verbose output on (-vvv) but I get no additional information. It just hangs for the 3 minutes shown above and then completes.
Any insight or ideas are appreciated. We have builds that take 2 minutes one day and 20+ the next!
maybe a certificate check or revokation
This is correct. nuget.org adds a repository signature to all packages uploaded to it, all packages, coming from nuget.org or not, may also have author signatures. NuGet does signed package verification on all signed packages, including cert revocation checks.
You can set the NUGET_CERT_REVOCATION_MODE environment variable to offline to disable the revocation checks and take the (small) increased risk of a compromised certificate having signed a package you're using.