The NuGet Blog

The latest news, updates, and insights from the NuGet team

Security - The NuGet Blog

NuGet.org will continue to support TLS 1.0 and 1.1 until further notice

April 22, 2020 Apr 22, 2020 04/22/20
Christopher Gill
Last November, we shared our two-stage plan for deprecating TLS 1.0/1.1 on NuGet.org and actions you can take today to ensure your systems use TLS 1.2. In that post, we announced that NuGet.org would remove support for TLS 1.0/1.1 in April 2020. However, since then, our customers have faced a variety of challenges in the wake of the COVID-19 ...

Deprecating TLS 1.0 and 1.1 on NuGet.org – Stage 1

February 12, 2020 Feb 12, 2020 02/12/20
The NuGet Team
In this post, we will go into more details and a specific timeline for Stage 1 i.e. temporarily removing support for TLS 1.0/1.1 on NuGet.org. The goal is to help you identify systems that may be affected and will give you an opportunity to take action before we permanently remove support for TLS 1.0/1.1 in April 2020.

Deprecating TLS 1.0 and 1.1 on NuGet.org

November 15, 2019 Nov 15, 2019 11/15/19
Karan Nandwani
co-authored by Scott Bommarito At Microsoft, using the latest and secure encryption techniques is very important to us to ensure the security and privacy of our customers. TLS 1.0 and TLS 1.1, released in 1999 and 2006 respectively, are known to be vulnerable to a number of attacks including POODLE and BEAST. In the past, we removed ...

Lock down your dependencies using configurable trust policies

December 5, 2018 Dec 5, 2018 12/5/18
Rido
For the past several months we have focused on various features to improve package security and trust. Around a year back, we had announced our plans on various signing functionalities that we have been implementing at a steady pace. We enabled package author signing and NuGet.org repository signing earlier this year. Continuing on the signing...

NuGet.org starts repo-signing packages

August 10, 2018 Aug 10, 2018 08/10/18
Rido
In May, we implemented Stage 1 and enabled support for any NuGet.org user to submit signed packages to NuGet.org. Today, we are announcing Stage 2 of our NuGet package signing journey - tamper proofing the entire package dependency graph. What is a Repository Signature? A repository signature is a code signing signature produced with an X....

Introducing signed package submissions to NuGet.org

May 22, 2018 May 22, 2018 05/22/18
Rido
In September 2017, we announced our plans to improve the security of the NuGet ecosystem by introducing the ability for package authors to sign packages. Today, we want to announce support for any NuGet.org user to submit signed packages to NuGet.org. A signed NuGet package is designed to be fully compatible with pre-existing NuGet servers ...

NuGet.org will only support MSA/AAD starting June 1st, 2018

May 15, 2018 May 15, 2018 05/15/18
Anand Gaurav
We had previously announced the deprecation of NuGet.org's home-grown authentication in favor of Microsoft accounts (MSA) that will allow us to add support for additional security systems such as two-factor authentication (2FA). We will be disabling the NuGet.org's home-grown authentication mechanism starting June 1st, 2018. This means that ...

NuGet Package Signing

September 14, 2017 Sep 14, 2017 09/14/17
Rido
In our NuGet Fall 2017 Roadmap, we highlighted security as the main area of investment over the next few months. This blog post describes a major part of that roadmap in greater detail – package signing. We started talking about supporting signed packages on NuGet.org a while ago. For example, in 2015 we published a post on Package Signing ...

NuGet Package Identity and Trust

April 17, 2017 Apr 17, 2017 04/17/17
Daniel Jacobson
Update on 10/16/2017: Package ID Prefix Reservation is now live. The documentation can be found here. We want to start this post with a huge thanks to you, the NuGet community. Over the last several months we have been talking to many of you to get feedback on NuGet package identity and trust. We’ve learned so much from you and we hope that...

NuGet – Ending Windows XP support

January 19, 2017 Jan 19, 2017 01/19/17
Karan Nandwani
At NuGet, we are constantly improving our security. One of the steps we are taking is to move our HTTPS end points to meet industry standards for algorithms and protocols. This means that connecting to nuget.org services from machines that don’t support modern cipher algorithms will no longer be supported (such as TLS 1.0 support in Windows ...