{"id":1888,"date":"2021-02-25T11:13:55","date_gmt":"2021-02-25T19:13:55","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=1888"},"modified":"2021-02-25T11:13:55","modified_gmt":"2021-02-25T19:13:55","slug":"the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-march-15th-2021","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-march-15th-2021\/","title":{"rendered":"The NuGet.org repository signing certificate will be updated as soon as March 15th, 2021"},"content":{"rendered":"

Action required:<\/strong> If you validate that packages are repository signed by NuGet.org using a NuGet client policy<\/a>, NuGet.exe verify<\/code><\/a> command, or the dotnet nuget verify<\/code><\/a> command, please follow these steps<\/a> by March 15th, 2021 to avoid potential disruptions when installing new NuGet.org packages. If you are unsure, we have outlined steps to check if you will be impacted<\/a>.<\/p>\n

Since 2018, NuGet.org has used an X.509 certificate to repository sign its NuGet packages. That certificate will be expiring on April 14th, 2021. As early as March 15th, a new certificate will replace it as the new NuGet.org repository signing certificate for NuGet packages.<\/strong> Existing packages already signed with the older certificate will retain their existing signature, but the older certificate will soon no longer be used to sign packages.<\/p>\n

You may recall a similar blog post a few months ago from when we updated the Microsoft author signing certificate<\/a>. The action required to accept the new NuGet.org repository signing certificate is very similar, but does have key differences outlined in the the instructions below.<\/p>\n

Note:<\/strong> If you were previously affected by NuGet restore issues due to distrust of Symantec CA’s on the Debian family of Linux distributions, please see our guidance on that matter<\/a> for mitigations that may be necessary in addition to the actions outlined in this blogpost. If you were unaffected by the issue due to use of a non-Debian OS or have already applied one of the mitigations, the steps in this blogpost should be sufficient.<\/p>\n

Current certificate SHA-256 fingerprint:<\/strong> 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D<\/code><\/p>\n

New certificate SHA-256 fingerprint:<\/strong> 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4<\/code><\/p>\n

Who will be impacted?<\/h2>\n

1. Customers who are using a NuGet client policy to enforce an allow list of trusted signers that includes NuGet.org.<\/strong><\/p>\n

To tell if you have a NuGet client policy<\/a> configured, check for the following elements in your nuget.config<\/a>. Keep in mind that you can have nuget.config files in multiple locations<\/a> with different scopes.<\/p>\n

<config>\n  <add key=\"signatureValidationMode\" value=\"require\" \/>\n<\/config>\n\n\n<trustedSigners>  \n  <repository name=\"nuget.org\" serviceIndex=\"https:\/\/api.nuget.org\/v3\/index.json\">\n    <certificate fingerprint=\"0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D\" \n    hashAlgorithm=\"SHA256\" allowUntrustedRoot=\"false\" \/>\n  <\/repository>\n<\/trustedSigners>\n<\/code><\/pre>\n
2. Customers who use NuGet.exe verify<\/code> (Windows only) to verify that signed packages are repository signed by NuGet.org.<\/strong><\/p>\n
This will look like the following in your code:<\/p>\n
NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D\n<\/code><\/pre>\n
3. Customers who use dotnet nuget verify<\/code> to verify that signed packages are repository signed by NuGet.org.<\/strong><\/p>\n
This will look like the following in your code:<\/p>\n
dotnet nuget verify <PackagePath> --certificate-fingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D\n<\/code><\/pre>\n
If none of the above scenarios apply to you, then you should be unaffected by the certificate update!<\/strong> NuGet.org packages signed with the new certificate should install in the same way as packages signed with the old certificate.<\/p>\n
Allow the new NuGet.org certificate<\/h2>\n
Client policy<\/h3>\n
If you are using a NuGet client policy to enforce an allow list of trusted signers, then you will need to add the new NuGet.org certificate to your allow list to avoid disruptions when installing NuGet.org packages signed with the new certificate. You should keep the older NuGet.org certificate as well to continue installing NuGet.org packages signed with the older certificate. If you try to install one of these newer NuGet.org packages without updating your trusted signers, you’ll get an NU3034 error<\/a> and the package will fail to install.<\/p>\n
You can explicitly trust the new NuGet.org repository signing certificate by adding to your nuget.config file the new certificate alongside any older certificates you may already have:<\/p>\n
<trustedSigners>\n  <repository name=\"nuget.org\" serviceIndex=\"https:\/\/api.nuget.org\/v3\/index.json\">\n    <certificate fingerprint=\"0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D\" hashAlgorithm=\"SHA256\" allowUntrustedRoot=\"false\" \/>\n    <certificate fingerprint=\"5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4\" hashAlgorithm=\"SHA256\" allowUntrustedRoot=\"false\" \/>\n  <\/repository>\n<\/trustedSigners>\n<\/code><\/pre>\n
NuGet.exe verify<\/h3>\n
If you use NuGet.exe verify<\/code> to verify that a signed package is repository signed by NuGet.org, you’ll need to update the command to handle either certificate like so:<\/p>\n
NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint \"0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D;5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4\"\n<\/code><\/pre>\n
dotnet nuget verify<\/h3>\n
Similarly, if you use dotnet nuget verify<\/code> to verify that a signed package is repository signed by NuGet.org, you’ll need to update the command to handle either certificate like so:<\/p>\n
dotnet nuget verify <PackagePath> --certificate-fingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D --certificate-fingerprint 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4\n<\/code><\/pre>\n
Feedback<\/h2>\n
If you have any questions about how you may be impacted or run into issues while following the steps above, please don’t hesitate to contact us<\/a>.<\/p>\n
For more general NuGet feedback and suggestions:<\/p>\n