NuGet 4.6.0+ and Visual Studio 2017 version 15.6 and later
NuGet packages can include a digital signature that provides protection against tampered content. This signature is produced from an X.509 certificate that also adds authenticity proofs to the actual origin of the package.
Signed packages provide the strongest end-to-end validation. An author signature guarantees that the package has not been modified since the author signed the package, no matter from which repository or what transport method the package is delivered.
Consumers who demand a locked-down environment can require packages signed with a specific author certificate.
Additionally, author-signed packages provide an extra authentication mechanism to the nuget.org publishing pipeline because the signing certificate must be registered ahead of time.
nuget.org does not presently accept signed packages. You can sign packages for publishing to custom feeds.
Package signing requires a code signing certificate, which is a special type of certificate that is valid for the
id-kp-codeSigning purpose [RFC 5280 section 220.127.116.11]. Additionally, the certificate must have an RSA public key length of 2048 bits or higher.
Get a code signing certificate
Valid certificates may be obtained from public certificate authorities like:
The complete list of certification authorities trusted by Windows can be obtained from http://aka.ms/trustcertpartners.
Create a test certificate
You can use self-issued certificates for testing purposes. To create a self-issued certificate, use the New-SelfSignedCertificate PowerShell command.
New-SelfSignedCertificate -Subject "CN=NuGet Test Developer, OU=Use for testing purposes ONLY" ` -FriendlyName "NuGetTestDeveloper" ` -Type CodeSigning ` -KeyUsage DigitalSignature ` -KeyLength 2048 ` -KeyAlgorithm RSA ` -HashAlgorithm SHA256 ` -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" ` -CertStoreLocation "Cert:\CurrentUser\My"
This command creates a testing certificate available in the current user's personal certificate store. You can open the certificate store by running
certmgr.msc to see the newly created certificate.
Signed packages should include an RFC 3161 timestamp to ensure signature validity beyond the package signing certificate's validity period. The certificate used to sign the timestamp must be valid for the
id-kp-timeStamping purpose [RFC 5280 section 18.104.22.168]. Additionally, the certificate must have an RSA public key length of 2048 bits or higher.
Additional technical details can be found in the package signature technical specs (GitHub).