The Microsoft author-signing certificate will be updated as soon as August 14th, 2023

The NuGet Team

Action required: If you validate that packages are author-signed by Microsoft using a NuGet client policy or the NuGet.exe verify command, please follow these steps by August 14th, 2023 to avoid potential disruptions when installing new Microsoft packages. If you are unsure, we have outlined steps to check if you will be impacted.

Microsoft uses an X.509 certificate to author-sign its NuGet packages. The current certificate will expire on October 5th, 2023. In late August 2023, a new certificate will replace it as the new Microsoft author-signing certificate for NuGet packages. Existing packages already signed with the older certificate will retain their existing signature, but the older certificate will soon no longer be used to sign packages.

Current certificate SHA-256 fingerprint: AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27

New certificate SHA-256 fingerprint: 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353

Who will be impacted?

  • Customers who are using a NuGet client policy to enforce an allow list of trusted signers that includes Microsoft.

To tell if you have a NuGet client policy configured, check for the following elements in your nuget.config. Keep in mind that you can have nuget.config files in multiple locations with different scopes.

<config>
  <add key="signatureValidationMode" value="require" />
</config>

<trustedSigners>
  <author name="Microsoft">
    <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </author>
</trustedSigners>
  • Customers who use NuGet.exe verify to verify that signed packages are author-signed by Microsoft.

This will look like the following:

NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint "3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE;AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27"

If neither of the above scenarios apply to you, then you should be unaffected by the certificate update! Microsoft NuGet packages signed with the new certificate should install in the same way as packages signed with older certificates do.

Allow the new Microsoft certificate

Client policy

If you are using a NuGet client policy to enforce an allow list of trusted signers, then you will need to add the new Microsoft certificate to your allow list to avoid disruptions when installing Microsoft packages signed with the new certificate. You should keep the older Microsoft certificates as well to continue installing Microsoft packages signed with older certificates. If you try to install one of these newer Microsoft packages without updating your trusted signers, you’ll get an NU3034 error and the package will fail to install.

You can add the new Microsoft author-signing certificate by running the following command:

NuGet.exe trusted-signers Add -Name Microsoft2023 -CertificateFingerprint 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353 -FingerprintAlgorithm SHA256

Or by adding the following elements that includes the old and new certificates to your nuget.config:

<trustedSigners>
  <author name="Microsoft">
    <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </author>
</trustedSigners>

NuGet.exe verify

Similarly, if you use NuGet.exe verify to verify that a signed package is author-signed by Microsoft, you’ll need to update the command to handle all certificates like so:

NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint "3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE;AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27;566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353"

NuGet.org certificate update coming soon

As a side note, the NuGet.org repository-signing certificate will be expiring not too long after the Microsoft author-signing certificate expires. You can expect a similar certificate update and instructional post for NuGet.org soon.

Feedback

If you have any questions about how you may be impacted or run into issues while following the steps above, please don’t hesitate to contact us.

For more general NuGet feedback and suggestions:

0 comments

Comments are closed. Login to edit/delete your existing comments

Feedback usabilla icon