Signing NuGet Packages
Signing a package is a process that makes sure the package has not been modified since its creation.
The package (a
.nupkgfile) to sign. See Creating a package.
nuget.exe 4.6.0 or later. See how to Install NuGet CLI.
nuget.org does not currently accept signed packages. You can sign packages for publishing to custom feeds.
Sign a package
To sign a package, use nuget sign:
nuget sign MyPackage.nupkg -CertificateSubjectName <MyCertSubjectName> -Timestamper <TimestampServiceURL>
As described in the command reference, you can use a certificate available in the certificate store or use a certificate from a file.
Common problems when signing a package
- The certificate is not valid for code signing. You must ensure the certificate specified has the appropriate extended key usage (EKU 220.127.116.11.18.104.22.168.3).
- The certificate does not satisfy the basic requirements such as the RSA SHA-256 signature algorithm or a public key 2048 bits or greater.
- The certificate has expired or has been revoked.
- The timestamp server does not satisfy the certificate requirements.
Signed packages should include a timestamp to make sure the signature remains valid when the signing certificate has expired. The sign operation produce a warning NU3002 when signing without a timestamp.
Verify a signed package
Use nuget verify to see the signature details of a given package:
nuget verify -signature MyPackage.nupkg
Install a signed package
Signed packages don't require any specific action to be installed; however, if the content has been modified since it was signed, the installation be blocked and produces a error NU3008.
Packages signed with untrusted certificates are considered as unsigned and are installed without any warnings or errors like any other unsigned package.