Sign Windows packages with NuGet using KSP library
NuGet is a package manager for .NET development that allows you to publish, share, and consume reusable code packages. NuGet is used to sign packages to provide an additional layer of trust and security when distributing software libraries and components. Most importantly, NuGet maintains a reference list of packages used in a project and the ability to restore and update those packages from that list.
Follow these instructions to sign directly with NuGet and securely reference your private key stored in Software Trust Manager. Alternatively, integrate NuGet with Signing Manager Controller (SMCTL) for simplified signing.
Prerequisites
Windows operating system
Download and install DigiCert® Software Trust Manager clients
CA chain (only required for private CAs)
Install sample NuGet package
This creates a directory with name HelloWorld.
By default, all packages installed from the NuGet package manager are signed by the repository. You can verify the package with:
nuget install HelloWorld
By default, all packages installed from the NuGet package manager are signed by the repository. You can verify the package with:
nuget verify -All HelloWorld.1.3.0.17\*
Trust CA chain
To sign with a certificate issued from a private CA, the CA chain must be trusted in Windows.
To download a CA certificate:
Sign in to DigiCert ONE®.
Navigate to CA Manager > Manage CAs > Intermediates.
Click on the More actions icon next to the ICA name.
Select Download certificate.
Sync certificates (Windows only)
Before attempting to sign with Signtool, Mage, and NuGet using the certificate fingerprint, run this command to sync your certificates to the Windows certificate store.
To sync the default certificate associated with the specified keypair alias:
smctl windows certsync --keypair-alias=<keypair alias>
Anmerkung
For more information refer to the Windows command manual.
Sign
To sign using a certificate fingerprint:
nuget sign <package folder> -Timestamper http://timestamp.digicert.com -outputdirectory <output folder> -Certificate Fingerprint <SHA1 Thumbprint> -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
Command sample:
nuget sign HelloWorld.1.3.0.17\* -Timestamper http://timestamp.digicert.com -outputdirectory ..\am-HelloWorld.1.3.0.17 -CertificateFingerprint 3550ffca3cd652dde30675ce681ea1e01073e647 -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
Tipp
To locate the certificate thumbprint:
Open certificate manager (certmgr.msc).
Double-click on the certificate.
Select the Details tab.
For a list of accepted ways to provide a certificate, refer to NuGet CLI reference.