Signing NuGet Packages
Signing a package is a process that makes sure the package has not been modified since its creation.
The package (a
.nupkgfile) to sign. See Creating a package.
nuget.exe 4.6.0 or later. See how to Install NuGet CLI.
Sign a package
To sign a package, use nuget sign:
nuget sign MyPackage.nupkg -CertificateSubjectName <MyCertSubjectName> -Timestamper <TimestampServiceURL>
As described in the command reference, you can use a certificate available in the certificate store or use a certificate from a file.
Common problems when signing a package
- The certificate is not valid for code signing. You must ensure the certificate specified has the appropriate extended key usage (EKU 22.214.171.124.126.96.36.199.3).
- The certificate does not satisfy the basic requirements such as the RSA SHA-256 signature algorithm or a public key 2048 bits or greater.
- The certificate has expired or has been revoked.
- The timestamp server does not satisfy the certificate requirements.
Signed packages should include a timestamp to make sure the signature remains valid when the signing certificate has expired. The sign operation produce a warning NU3002 when signing without a timestamp.
Verify a signed package
Use nuget verify to see the signature details of a given package:
nuget verify -signature MyPackage.nupkg
Install a signed package
Signed packages don't require any specific action to be installed; however, if the content has been modified since it was signed, the installation is blocked and produces an error NU3008.
Packages signed with untrusted certificates are considered as unsigned and are installed without any warnings or errors like any other unsigned package.