October 22nd, 2020

The Microsoft author signing certificate will be updated as soon as November 1st, 2020

Christopher Gill
Program Manager

Action required: If you validate that packages are author signed by Microsoft using a NuGet client policy or the NuGet.exe verify command, please follow these steps by November 1st, 2020 to avoid potential disruptions when installing new Microsoft packages. If you are unsure, we have outlined steps to check if you will be impacted.

Since 2018, Microsoft has used an X.509 certificate to author sign its NuGet packages. That certificate will be expiring by the end of January 2021. As early as November 1st, a new certificate will replace it as the new Microsoft author signing certificate for NuGet packages. Existing packages already signed with the older certificate will retain their existing signature, but the older certificate will soon no longer be used to sign packages.

Current certificate SHA-256 fingerprint: 3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE

New certificate SHA-256 fingerprint: AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27

Who will be impacted?

1. Customers who are using a NuGet client policy to enforce an allow list of trusted signers that includes Microsoft.

To tell if you have a NuGet client policy configured, check for the following elements in your nuget.config. Keep in mind that you can have nuget.config files in multiple locations with different scopes.

<config>
  <add key="signatureValidationMode" value="require" />
</config>


<trustedSigners>
  <author name="Microsoft">
    <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </author>
</trustedSigners>

2. Customers who use NuGet.exe verify to verify that signed packages are author signed by Microsoft.

This will look like the following in your code:

NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint 3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE

If neither of the above scenarios apply to you, then you should be unaffected by the certificate update! Microsoft NuGet packages signed with the new certificate should install in the same way as packages signed with the old certificate do.

Allow the new Microsoft certificate

Client policy

If you are using a NuGet client policy to enforce an allow list of trusted signers, then you will need to add the new Microsoft certificate to your allow list to avoid disruptions when installing Microsoft packages signed with the new certificate. You should keep the older Microsoft certificate as well to continue installing Microsoft packages signed with the older certificate. If you try to install one of these newer Microsoft packages without updating your trusted signers, you’ll get an NU3034 error and the package will fail to install.

You can add the new Microsoft author signing certificate by running the following command:

nuget.exe trusted-signers Add -Name Microsoft2021 -CertificateFingerprint AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27 -FingerprintAlgorithm SHA256

Or by adding the following elements that includes both the old and new certificates to your nuget.config:

<trustedSigners>
  <author name="Microsoft">
    <certificate fingerprint="3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </author>
</trustedSigners>

NuGet.exe verify

Similarly, if you use NuGet.exe verify to verify that a signed package is author signed by Microsoft, you’ll need to update the command to handle either certificate like so:

NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint "3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE;AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27"

NuGet.org certificate update coming soon

As a side note, the NuGet.org repository signing certificate will be expiring not too long after the Microsoft author signing certificate expires. You can expect a similar certificate update and instructional post for NuGet.org soon.

Feedback

If you have any questions about how you may be impacted or run into issues while following the steps above, please don’t hesitate to contact us.

For more general NuGet feedback and suggestions:

Author

Christopher Gill
Program Manager

Christopher Gill is a program manager on the Visual Studio and .NET team at Microsoft. He primarily works on delivering fantastic developer experiences with NuGet - the .NET package manager.

0 comments

Discussion are closed.