NuGet 4.6.0+ and Visual Studio 2017 version 15.6 and later
NuGet packages can include a digital signature that provides protection against tampered content. This signature is produced from an X.509 certificate that also adds authenticity proofs to the actual origin of the package.
Signed packages provide the strongest end-to-end validation. There are two different types of NuGet signatures:
- Author signature. An author signature guarantees that the package has not been modified since the author signed the package, no matter from which repository or what transport method the package is delivered. Additionally, author-signed packages provide an extra authentication mechanism to the nuget.org publishing pipeline because the signing certificate must be registered ahead of time. For more information, see Register certificates.
- Repository signature. Repository signatures provide an integrity guarantee for all packages in a repository whether they are author signed or not, even if those packages are obtained from a different location than the original repository where they were signed.
Author signing packages is only supported by nuget.exe on Windows at this time. However, all packages uploaded to nuget.org are automatically repository signed.
Package signing requires a code signing certificate, which is a special type of certificate that is valid for the
id-kp-codeSigning purpose [RFC 5280 section 220.127.116.11]. Additionally, the certificate must have an RSA public key length of 2048 bits or higher.
Signed packages should include an RFC 3161 timestamp to ensure signature validity beyond the package signing certificate's validity period. The certificate used to sign the timestamp must be valid for the
id-kp-timeStamping purpose [RFC 5280 section 18.104.22.168]. Additionally, the certificate must have an RSA public key length of 2048 bits or higher.
Additional technical details can be found in the package signature technical specs (GitHub).
Signature requirements on NuGet.org
nuget.org has additional requirements for accepting a signed package:
- The primary signature must be an author signature.
- The primary signature must have a single valid timestamp.
- The X.509 certificates for both the author signature and its timestamp signature:
- Must have an RSA public key 2048 bits or greater.
- Must be within its validity period per current UTC time at time of package validation on nuget.org.
- Must chain to a trusted root authority that is trusted by default on Windows. Packages signed with self-issued certificates are rejected.
- Must be valid for its purpose:
- The author signing certificate must be valid for code signing.
- The timestamp certificate must be valid for timestamping.
- Must not be revoked at signing time. (This may not be knowable at submission time, so nuget.org periodically rechecks revocation status).