For the past several months we have focused on various features to improve package security and trust. Around a year back, we had announced our plans on various signing functionalities that we have been implementing at a steady pace. We enabled package author signing and NuGet.org repository signing earlier this year.
Post by this author
In May, we implemented Stage 1 and enabled support for any NuGet.org user to submit signed packages to NuGet.org. Today, we are announcing Stage 2 of our NuGet package signing journey – tamper proofing the entire package dependency graph.
What is a Repository Signature?
In September 2017, we announced our plans to improve the security of the NuGet ecosystem by introducing the ability for package authors to sign packages. Today, we want to announce support for any NuGet.org user to submit signed packages to NuGet.org.
In our NuGet Fall 2017 Roadmap, we highlighted security as the main area of investment over the next few months. This blog post describes a major part of that roadmap in greater detail – package signing.
We started talking about supporting signed packages on NuGet.org a while ago.