Sign Windows packages with NuGet

NuGet is a package manager for .NET development that allows you to publish, share, and consume reusable code packages. NuGet is used to sign packages to provide an additional layer of trust and security when distributing software libraries and components. Most importantly, NuGet maintains a reference list of packages used in a project and the ability to restore and update those packages from that list.

Follow these instructions to sign directly with NuGet and securely reference your private key stored in Software Trust Manager. Alternatively, integrate NuGet with Signing Manager Controller (SMCTL) for simplified signing.

Prerequisites

Windows operating system
Download and install DigiCert® Software Trust Manager clients
Configure your credentials
Install NuGet
CA chain (only required for private CAs)

Install sample NuGet package

This create a directory with name HelloWorld.

By default, all packages installed from the NuGet package manager are signed by the repository. You can verify the package with:

nuget install HelloWorld

By default, all packages installed from the NuGet package manager are signed by the repository. You can verify the package with:

nuget verify -All HelloWorld.1.3.0.17\*

Trust CA chain

To sign with a certificate issued from a private CA, the CA chain must be trusted in Windows.

To download a CA certificate:

Sign in to DigiCert ONE®.
Navigate to CA Manager > Manage CAs > Intermediates.
Click on the More actions icon next to the ICA name.
Select Download certificate.

Sync certificates (Windows only)

Before attempting to sign with Signtool, Mage, and NuGet using the certificate fingerprint, run this command to sync your certificates to the Windows certificate store.

To sync the default certificate associated with the specified keypair alias:

smctl windows certsync --keypair-alias=<keypair alias>

Nota

For more information refer to the Windows command manual.

Sign

To sign using a certificate fingerprint:

nuget sign <package folder> -Timestamper http://timestamp.digicert.com -outputdirectory <output folder> -Certificate Fingerprint <SHA1 Thumbprint> -HashAlgorithm SHA256 -Verbosity detailed -Overwrite

Command sample:

nuget sign HelloWorld.1.3.0.17\* -Timestamper http://timestamp.digicert.com -outputdirectory ..\am-HelloWorld.1.3.0.17 -CertificateFingerprint 3550ffca3cd652dde30675ce681ea1e01073e647 -HashAlgorithm SHA256 -Verbosity detailed -Overwrite

Sugerencia

To locate the certificate thumbprint:

Open certificate manager (certmgr.msc).
Double-click on the certificate.
Select the Details tab.

For a list of accepted ways to provide a certificate, refer to NuGet CLI reference.

En esta sección: