{"id":56235,"date":"2023-08-03T11:38:24","date_gmt":"2023-08-03T18:38:24","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=2833"},"modified":"2023-08-03T11:38:24","modified_gmt":"2023-08-03T18:38:24","slug":"microsoft-author-signing-certificate-update-2023","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/microsoft-author-signing-certificate-update-2023\/","title":{"rendered":"The Microsoft author-signing certificate will be updated as soon as August 14th, 2023"},"content":{"rendered":"<p><strong>Action required:<\/strong> If you validate that packages are author-signed by Microsoft using a NuGet client policy or the <code>NuGet.exe verify<\/code> command, please follow these steps by August 14th, 2023 to avoid potential disruptions when installing new Microsoft packages. If you are unsure, we have outlined steps to check if you will be impacted.<\/p>\n<p>Microsoft uses an X.509 certificate to author-sign its NuGet packages. The current certificate will expire on October 5th, 2023. In late August 2023, a new certificate will replace it as the new Microsoft author-signing certificate for NuGet packages. Existing packages already signed with the older certificate will retain their existing signature, but the older certificate will soon no longer be used to sign packages.<\/p>\n<p>Current certificate SHA-256 fingerprint: <code>AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27<\/code><\/p>\n<p>New certificate SHA-256 fingerprint: <code>566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353<\/code><\/p>\n<h2>Who will be impacted?<\/h2>\n<ul>\n<li>Customers who are using a NuGet client policy to enforce an allow list of trusted signers that includes Microsoft.<\/li>\n<\/ul>\n<p>To tell if you have a <a href=\"https:\/\/docs.microsoft.com\/nuget\/consume-packages\/installing-signed-packages\">NuGet client policy<\/a> configured, check for the following elements in your <a href=\"https:\/\/docs.microsoft.com\/nuget\/reference\/nuget-config-file\">nuget.config<\/a>. Keep in mind that you can have nuget.config files in <a href=\"https:\/\/learn.microsoft.com\/en-us\/nuget\/consume-packages\/configuring-nuget-behavior#config-file-locations-and-uses\">multiple locations with different scopes<\/a>.<\/p>\n<pre><code class=\"XML\">&lt;config&gt;\n  &lt;add key=\"signatureValidationMode\" value=\"require\" \/&gt;\n&lt;\/config&gt;\n\n&lt;trustedSigners&gt;\n  &lt;author name=\"Microsoft\"&gt;\n    &lt;certificate fingerprint=\"3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE\" hashAlgorithm=\"SHA256\" allowUntrustedRoot=\"false\" \/&gt;\n    &lt;certificate fingerprint=\"AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27\" hashAlgorithm=\"SHA256\" allowUntrustedRoot=\"false\" \/&gt;\n  &lt;\/author&gt;\n&lt;\/trustedSigners&gt;\n<\/code><\/pre>\n<ul>\n<li>Customers who use <code>NuGet.exe verify<\/code> to verify that signed packages are author-signed by Microsoft.<\/li>\n<\/ul>\n<p>This will look like the following:<\/p>\n<pre><code>NuGet.exe verify -Signatures &lt;PackagePath&gt; -CertificateFingerprint \"3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE;AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27\"\n<\/code><\/pre>\n<p><strong>If neither of the above scenarios apply to you, then you should be unaffected by the certificate update!<\/strong> Microsoft NuGet packages signed with the new certificate should install in the same way as packages signed with older certificates do.<\/p>\n<h2>Allow the new Microsoft certificate<\/h2>\n<h3>Client policy<\/h3>\n<p>If you are using a NuGet client policy to enforce an allow list of trusted signers, then you will need to add the new Microsoft certificate to your allow list to avoid disruptions when installing Microsoft packages signed with the new certificate. You should keep the older Microsoft certificates as well to continue installing Microsoft packages signed with older certificates. If you try to install one of these newer Microsoft packages without updating your trusted signers, you\u2019ll get an <a href=\"https:\/\/learn.microsoft.com\/en-us\/nuget\/reference\/errors-and-warnings\/nu3034\">NU3034<\/a> error and the package will fail to install.<\/p>\n<p>You can add the new Microsoft author-signing certificate by running the following command:<\/p>\n<pre><code>NuGet.exe trusted-signers Add -Name Microsoft2023 -CertificateFingerprint 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353 -FingerprintAlgorithm SHA256\n<\/code><\/pre>\n<p>Or by adding the following elements that includes the old and new certificates to your nuget.config:<\/p>\n<pre><code class=\"XML\">&lt;trustedSigners&gt;\n  &lt;author name=\"Microsoft\"&gt;\n    &lt;certificate fingerprint=\"3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE\" hashAlgorithm=\"SHA256\" allowUntrustedRoot=\"false\" \/&gt;\n    &lt;certificate fingerprint=\"AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27\" hashAlgorithm=\"SHA256\" allowUntrustedRoot=\"false\" \/&gt;\n    &lt;certificate fingerprint=\"566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353\" hashAlgorithm=\"SHA256\" allowUntrustedRoot=\"false\" \/&gt;\n  &lt;\/author&gt;\n&lt;\/trustedSigners&gt;\n<\/code><\/pre>\n<h3><code>NuGet.exe verify<\/code><\/h3>\n<p>Similarly, if you use NuGet.exe verify to verify that a signed package is author-signed by Microsoft, you\u2019ll need to update the command to handle all certificates like so:<\/p>\n<pre><code>NuGet.exe verify -Signatures &lt;PackagePath&gt; -CertificateFingerprint \"3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE;AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27;566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353\"\n<\/code><\/pre>\n<h2>NuGet.org certificate update coming soon<\/h2>\n<p>As a side note, the NuGet.org repository-signing certificate will be expiring not too long after the Microsoft author-signing certificate expires. You can expect a similar certificate update and instructional post for NuGet.org soon.<\/p>\n<h2>Feedback<\/h2>\n<p>If you have any questions about how you may be impacted or run into issues while following the steps above, please don\u2019t hesitate to <a href=\"https:\/\/www.nuget.org\/policies\/Contact\">contact us<\/a>.<\/p>\n<p>For more general NuGet feedback and suggestions:<\/p>\n<ul>\n<li>Check out our <a href=\"https:\/\/github.com\/NuGet\/Home\/wiki\/Submitting-Bugs-and-Suggestions\">documentation on submitting bugs and suggestions<\/a>.<\/li>\n<li>Schedule a time to <a href=\"https:\/\/aka.ms\/talktonuget\">talk to NuGet<\/a>.<\/li>\n<li>Reach out to us on Twitter \u2013 mention <a href=\"https:\/\/twitter.com\/nuget\">@nuget<\/a> in your tweets.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Action required: If you validate that packages are author-signed by Microsoft using a NuGet client policy or the NuGet.exe verify command, please follow these steps by August 14th, 2023 to avoid potential disruptions when installing new Microsoft packages. If you are unsure, we have outlined steps to check if you will be impacted. Microsoft uses [&hellip;]<\/p>\n","protected":false},"author":4321,"featured_media":752,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7874,7931,7928],"tags":[],"class_list":["post-56235","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-nuget","category-nuget-org","category-other-announcements"],"acf":[],"blog_post_summary":"<p>Action required: If you validate that packages are author-signed by Microsoft using a NuGet client policy or the NuGet.exe verify command, please follow these steps by August 14th, 2023 to avoid potential disruptions when installing new Microsoft packages. If you are unsure, we have outlined steps to check if you will be impacted. Microsoft uses [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/56235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/4321"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=56235"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/56235\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/752"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=56235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=56235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=56235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}