The latest news, updates, and insights from the NuGet team
December 5, 2018Dec 5, 201812/5/18For the past several months we have focused on various features to improve package security and trust. Around a year back, we had announced our plans on various signing functionalities that we have been implementing at a steady pace. We enabled package author signing and NuGet.org repository signing earlier this year.
August 10, 2018Aug 10, 201808/10/18In May, we implemented Stage 1 and enabled support for any NuGet.org user to submit signed packages to NuGet.org. Today, we are announcing Stage 2 of our NuGet package signing journey – tamper proofing the entire package dependency graph.
What is a Repository Signature?
May 22, 2018May 22, 201805/22/18In September 2017, we announced our plans to improve the security of the NuGet ecosystem by introducing the ability for package authors to sign packages. Today, we want to announce support for any NuGet.org user to submit signed packages to NuGet.org.
May 15, 2018May 15, 201805/15/18We had previously announced the deprecation of NuGet.org’s home-grown authentication in favor of Microsoft accounts (MSA) that will allow us to add support for additional security systems such as two-factor authentication (2FA). We will be disabling the NuGet.org’s home-grown authentication mechanism starting June 1st,
September 14, 2017Sep 14, 201709/14/17In our NuGet Fall 2017 Roadmap, we highlighted security as the main area of investment over the next few months. This blog post describes a major part of that roadmap in greater detail – package signing.
We started talking about supporting signed packages on NuGet.org a while ago.
April 17, 2017Apr 17, 201704/17/17Update on 10/16/2017: Package ID Prefix Reservation is now live. The documentation can be found here.
We want to start this post with a huge thanks to you, the NuGet community. Over the last several months we have been talking to many of you to get feedback on NuGet package identity and trust.
January 19, 2017Jan 19, 201701/19/17At NuGet, we are constantly improving our security. One of the steps we are taking is to move our HTTPS end points to meet industry standards for algorithms and protocols. This means that connecting to nuget.org services from machines that don’t support modern cipher algorithms will no longer be supported (such as TLS 1.0 support in Windows XP).
August 25, 2016Aug 25, 201608/25/16In June, we published a blog post announcing Expiring API Keys. We received a lot of great feedback from the community about it. In retrospect, we did not do a great job explaining the motivation and reasoning for this security measure to the community.
June 22, 2016Jun 22, 201606/22/16Update 6/22 (2:15 P.M PST): We have a lot of feedback coming in from the community on this topic. This change will not have any impact for another 90 days at the minimum. We are reviewing your feedback and will discuss further how to achieve our goal of improved security of NuGet.org.
February 3, 2015Feb 3, 201502/3/15Package signing has been a major discussion point for a long time in the NuGet ecosystem. However, the NuGet Team didn’t want to rush into an implementation and end up creating something that restricted the ecosystem unnecessarily. Well, we now think we are ready to begin a process to introduce Package Signing,
