NuGet Warning NU3037

Issue

A NuGet package signature has expired. A package signature shares the same validity period as the certificate used to generate the signature. A package signature is invalid outside of that validity period. To ensure long-term validity --- even beyond the signing certificate’s validity period --- a package signature should be timestamped with a trusted timestamp. Trusted timestamps must be added while a package signature is still valid and not expired.

Solution

• Resign the package with a non-expired certificate. Optionally, add a trusted timestamp at the time of signing to ensure long-term validity of the signature.
• For accept mode only, ignore the warning.

Note

When NuGet’s signature validation mode is set to accept (default), a package with an expired package signature is treated as an unsigned package and installed anyway. NU3037 is raised as a warning. When NuGet’s signature validation mode is set to require, or when running the nuget verify -signatures command, NU3037 is elevated from a warning to an error.