Signing NuGet Packages
Signed packages allows for content integrity verification checks which provides protection against content tampering. The package signature also serves as the single source of truth about the actual origin of the package and bolsters package authenticity for the consumer. This guide assumes you have already created a package.
Get a code signing certificate
Valid certificates may be obtained from a public certificate authority such as Symantec, DigiCert, Go Daddy, Global Sign, Comodo, Certum, etc. The complete list of certification authorities trusted by Windows can be obtained from http://aka.ms/trustcertpartners.
You can use self-issued certificates for testing purposes. However, packages signed using self-issued certificates are not accepted by NuGet.org. Learn more about creating a test certificate
Export the certificate file
You can export an existing certificate to a binary DER format by using the Certificate Export Wizard.
You can also export the certificate using the Export-Certificate PowerShell command.
Sign the package
Requires nuget.exe 4.6.0 or later
Sign the package using nuget sign:
nuget sign MyPackage.nupkg -CertificateFilePath <PathToTheCertificate> -Timestamper <TimestampServiceURL>
- You can use a certificate available in the certificate store or use a certificate from a file. See CLI reference for nuget sign.
- Signed packages should include a timestamp to make sure the signature remains valid when the signing certificate has expired. Else the sign operation will produce a warning.
- You can see the signature details of a given package using nuget verify.
Register the certificate on NuGet.org
To publish a signed package, you must first register the certificate with NuGet.org. You need the certificate as a
.cer file in a binary DER format.
- Sign in to NuGet.org.
- Go to
Edit Organziationif you would like to register the certificate with an Organization account).
- Expand the
Certificatessection and select
- Browse and select the certficate file that was exported earlier.
- One user can submit multiple certificates and the same certificate can be registered by multiple users.
- Once a user has a certificate registered, all future package submissions must be signed with one of the certificates. See Manage signing requirements for your package on NuGet.org
- Users can also remove a registered certificate from the account. Once a certificate is removed, new packages signed with that certificate will fail at submission. Existing packages aren't affected.
Publish the package
You are now ready to publish the package to NuGet.org. See Publishing packages.
Create a test certificate
You can use self-issued certificates for testing purposes. To create a self-issued certificate, use the New-SelfSignedCertificate PowerShell command.
New-SelfSignedCertificate -Subject "CN=NuGet Test Developer, OU=Use for testing purposes ONLY" ` -FriendlyName "NuGetTestDeveloper" ` -Type CodeSigning ` -KeyUsage DigitalSignature ` -KeyLength 2048 ` -KeyAlgorithm RSA ` -HashAlgorithm SHA256 ` -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" ` -CertStoreLocation "Cert:\CurrentUser\My"
This command creates a testing certificate available in the current user's personal certificate store. You can open the certificate store by running
certmgr.msc to see the newly created certificate.
NuGet.org does not accept packages signed with self-issued certificates.
Manage signing requirements for your package on NuGet.org
Sign in to NuGet.org.
If you are the sole owner of a package, you are the required signer i.e. you can use any of the registered certificates to sign and publish your packages to NuGet.org.
If a package has multiple owners, by default, "Any" owner's certificates can be used to sign the package. As a co-owner of the package, you can override "Any" with yourself or any other co-owner to be the required signer. If you make an owner who does not have any certificate registered, then unsigned packages will be allowed.
Similarly, if the default "Any" option is selected for a package where one owner has a certificate registered and another owner does not have any certificate registered, then NuGet.org accepts either a signed package with a signature registered by one of its owners or an unsigned package (because one of the owners does not have any certificate registered).