The NuGet.org repository signing certificate will be updated as soon as March 15th, 2021
Action required: If you validate that packages are repository signed by NuGet.org using a NuGet client policy, NuGet.exe verify command, or the dotnet nuget verify command, please follow these steps by March 15th, 2021 to avoid potential disruptions when installing new NuGet.org packages. If you are unsure, we have outlined steps to check if you will be impacted.
Since 2018, NuGet.org has used an X.509 certificate to repository sign its NuGet packages. That certificate will be expiring on April 14th, 2021. As early as March 15th, a new certificate will replace it as the new NuGet.org repository signing certificate for NuGet packages. Existing packages already signed with the older certificate will retain their existing signature, but the older certificate will soon no longer be used to sign packages.
You may recall a similar blog post a few months ago from when we updated the Microsoft author signing certificate. The action required to accept the new NuGet.org repository signing certificate is very similar, but does have key differences outlined in the the instructions below.
Note: If you were previously affected by NuGet restore issues due to distrust of Symantec CA’s on the Debian family of Linux distributions, please see our guidance on that matter for mitigations that may be necessary in addition to the actions outlined in this blogpost. If you were unaffected by the issue due to use of a non-Debian OS or have already applied one of the mitigations, the steps in this blogpost should be sufficient.
Current certificate SHA-256 fingerprint: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
New certificate SHA-256 fingerprint: 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4
Who will be impacted?
1. Customers who are using a NuGet client policy to enforce an allow list of trusted signers that includes NuGet.org.
To tell if you have a NuGet client policy configured, check for the following elements in your nuget.config. Keep in mind that you can have nuget.config files in multiple locations with different scopes.
<config>
<add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
<repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
<certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D"
hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</repository>
</trustedSigners>
2. Customers who use NuGet.exe verify (Windows only) to verify that signed packages are repository signed by NuGet.org.
This will look like the following in your code:
NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
3. Customers who use dotnet nuget verify to verify that signed packages are repository signed by NuGet.org.
This will look like the following in your code:
dotnet nuget verify <PackagePath> --certificate-fingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
If none of the above scenarios apply to you, then you should be unaffected by the certificate update! NuGet.org packages signed with the new certificate should install in the same way as packages signed with the old certificate.
Allow the new NuGet.org certificate
Client policy
If you are using a NuGet client policy to enforce an allow list of trusted signers, then you will need to add the new NuGet.org certificate to your allow list to avoid disruptions when installing NuGet.org packages signed with the new certificate. You should keep the older NuGet.org certificate as well to continue installing NuGet.org packages signed with the older certificate. If you try to install one of these newer NuGet.org packages without updating your trusted signers, you’ll get an NU3034 error and the package will fail to install.
You can explicitly trust the new NuGet.org repository signing certificate by adding to your nuget.config file the new certificate alongside any older certificates you may already have:
<trustedSigners>
<repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
<certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
<certificate fingerprint="5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</repository>
</trustedSigners>
NuGet.exe verify
If you use NuGet.exe verify to verify that a signed package is repository signed by NuGet.org, you’ll need to update the command to handle either certificate like so:
NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint "0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D;5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4"
dotnet nuget verify
Similarly, if you use dotnet nuget verify to verify that a signed package is repository signed by NuGet.org, you’ll need to update the command to handle either certificate like so:
dotnet nuget verify <PackagePath> --certificate-fingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D --certificate-fingerprint 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4
Feedback
If you have any questions about how you may be impacted or run into issues while following the steps above, please don’t hesitate to contact us.
For more general NuGet feedback and suggestions:
- Check out our documentation on submitting bugs and suggestions.
- Schedule a time to talk to NuGet.
- Reach out to us on Twitter – mention @nuget in your tweets.
Light
Dark
1 comment
@nuget Any problem with the platform?
I am trying to download the package from visual studio 2019 profesional: microsoft.EntityFrameworkCore.SqlServer. But the message is error. “Can’t find the package” Microsoft.Win32.Registry.4.7.0