Signing NuGet Packages

Signing a package is a process that makes sure the package has not been modified since its creation.


  1. The package (a .nupkg file) to sign. See Creating a package.

  2. nuget.exe 4.6.0 or later. See how to Install NuGet CLI.

  3. A code signing certificate.

Sign a package

To sign a package, use nuget sign:

nuget sign MyPackage.nupkg -CertificateSubjectName <MyCertSubjectName> -Timestamper <TimestampServiceURL>

As described in the command reference, you can use a certificate available in the certificate store or use a certificate from a file.

Common problems when signing a package

  • The certificate is not valid for code signing. You must ensure the certificate specified has the appropriate extended key usage (EKU
  • The certificate does not satisfy the basic requirements such as the RSA SHA-256 signature algorithm or a public key 2048 bits or greater.
  • The certificate has expired or has been revoked.
  • The timestamp server does not satisfy the certificate requirements.


Signed packages should include a timestamp to make sure the signature remains valid when the signing certificate has expired. The sign operation produce a warning NU3002 when signing without a timestamp.

Verify a signed package

Use nuget verify to see the signature details of a given package:

nuget verify -signature MyPackage.nupkg

Install a signed package

Signed packages don't require any specific action to be installed; however, if the content has been modified since it was signed, the installation be blocked and produces a error NU3008.


Packages signed with untrusted certificates are considered as unsigned and are installed without any warnings or errors like any other unsigned package.

See also

Signed Packages Reference