March 13th, 2024

The NuGet.org repository signing certificate will be updated as soon as April 8th, 2024

Erick Yondon
Senior software engineer

Action required: If you validate that packages are repository signed by NuGet.org using a NuGet client policy, NuGet.exe verify command, or the dotnet nuget verify command, please follow these steps by April 8th, 2024 to avoid potential disruptions when installing new NuGet.org packages. If you are unsure, we have outlined steps to check if you will be impacted.

Since 2018, NuGet.org has used an X.509 certificate to sign its NuGet packages. The certificate was last renewed on March 15, 2021, and is set to expire on May 15, 2024. As early as April 8th, a new certificate will replace it as the new NuGet.org repository signing certificate for NuGet packages. Existing packages already signed with the older certificate will retain their existing signature, but the older certificate will soon no longer be used to sign packages.

You may recall a similar blog post a few months ago from when we updated the Microsoft author signing certificate. The action required to accept the new NuGet.org repository signing certificate is very similar, but does have key differences outlined in the the instructions below.

Current certificate SHA-256 fingerprint: 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4

New certificate SHA-256 fingerprint: 1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D

Who will be impacted?

1. Customers who are using a NuGet client policy to enforce an allow list of trusted signers that includes NuGet.org.

To tell if you have a NuGet client policy configured, check for the following elements in your nuget.config. Keep in mind that you can have nuget.config files in multiple locations with different scopes.

<config>
  <add key="signatureValidationMode" value="require" />
</config>

<trustedSigners>  
  <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
    <certificate fingerprint="5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4" 
    hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </repository>
</trustedSigners>

2. Customers who use NuGet.exe verify (Windows only) to verify that signed packages are repository signed by NuGet.org.

This will look like the following in your code:

NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4

3. Customers who use dotnet nuget verify to verify that signed packages are repository signed by NuGet.org.

This will look like the following in your code:

dotnet nuget verify <PackagePath> --certificate-fingerprint 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4

If none of the above scenarios apply to you, then you should be unaffected by the certificate update! NuGet.org packages signed with the new certificate should install in the same way as packages signed with the old certificate.

Allow the new NuGet.org certificate

Client policy

If you are using a NuGet client policy to enforce an allow list of trusted signers, then you will need to add the new NuGet.org certificate to your allow list to avoid disruptions when installing NuGet.org packages signed with the new certificate. You should keep the older NuGet.org certificate as well to continue installing NuGet.org packages signed with the older certificate. If you try to install one of these newer NuGet.org packages without updating your trusted signers, you’ll get an NU3034 error and the package will fail to install.

You can explicitly trust the new NuGet.org repository signing certificate by adding to your nuget.config file the new certificate alongside any older certificates you may already have:

<trustedSigners>
  <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
    <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </repository>
</trustedSigners>

NuGet.exe verify

If you use NuGet.exe verify to verify that a signed package is repository signed by NuGet.org, you’ll need to update the command to handle either certificate like so:

NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint "0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D;5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4;1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D"

dotnet nuget verify

Similarly, if you use dotnet nuget verify to verify that a signed package is repository signed by NuGet.org, you’ll need to update the command to handle either certificate like so:

dotnet nuget verify <PackagePath> --certificate-fingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D --certificate-fingerprint 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4 --certificate-fingerprint 1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D

Feedback

If you have any questions about how you may be impacted or run into issues while following the steps above, please don’t hesitate to contact us.

For more general NuGet feedback and suggestions:

Category
NuGet

Author

Erick Yondon
Senior software engineer

0 comments

Discussion are closed.