The NuGet.org repository signing certificate will be updated as soon as March 15th, 2021

Avatar

Christopher

Action required: If you validate that packages are repository signed by NuGet.org using a NuGet client policy, NuGet.exe verify command, or the dotnet nuget verify command, please follow these steps by March 15th, 2021 to avoid potential disruptions when installing new NuGet.org packages. If you are unsure, we have outlined steps to check if you will be impacted.

Since 2018, NuGet.org has used an X.509 certificate to repository sign its NuGet packages. That certificate will be expiring on April 14th, 2021. As early as March 15th, a new certificate will replace it as the new NuGet.org repository signing certificate for NuGet packages. Existing packages already signed with the older certificate will retain their existing signature, but the older certificate will soon no longer be used to sign packages.

You may recall a similar blog post a few months ago from when we updated the Microsoft author signing certificate. The action required to accept the new NuGet.org repository signing certificate is very similar, but does have key differences outlined in the the instructions below.

Note: If you were previously affected by NuGet restore issues due to distrust of Symantec CA’s on the Debian family of Linux distributions, please see our guidance on that matter for mitigations that may be necessary in addition to the actions outlined in this blogpost. If you were unaffected by the issue due to use of a non-Debian OS or have already applied one of the mitigations, the steps in this blogpost should be sufficient.

Current certificate SHA-256 fingerprint: 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D

New certificate SHA-256 fingerprint: 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4

Who will be impacted?

1. Customers who are using a NuGet client policy to enforce an allow list of trusted signers that includes NuGet.org.

To tell if you have a NuGet client policy configured, check for the following elements in your nuget.config. Keep in mind that you can have nuget.config files in multiple locations with different scopes.

<config>
  <add key="signatureValidationMode" value="require" />
</config>


<trustedSigners>  
  <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
    <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" 
    hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </repository>
</trustedSigners>

2. Customers who use NuGet.exe verify (Windows only) to verify that signed packages are repository signed by NuGet.org.

This will look like the following in your code:

NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D

3. Customers who use dotnet nuget verify to verify that signed packages are repository signed by NuGet.org.

This will look like the following in your code:

dotnet nuget verify <PackagePath> --certificate-fingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D

If none of the above scenarios apply to you, then you should be unaffected by the certificate update! NuGet.org packages signed with the new certificate should install in the same way as packages signed with the old certificate.

Allow the new NuGet.org certificate

Client policy

If you are using a NuGet client policy to enforce an allow list of trusted signers, then you will need to add the new NuGet.org certificate to your allow list to avoid disruptions when installing NuGet.org packages signed with the new certificate. You should keep the older NuGet.org certificate as well to continue installing NuGet.org packages signed with the older certificate. If you try to install one of these newer NuGet.org packages without updating your trusted signers, you’ll get an NU3034 error and the package will fail to install.

On Windows, you can add the new NuGet.org repository signing certificate by running the following command:

nuget.exe trusted-signers Add -Name "NuGet.org2021" -CertificateFingerprint 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4 -FingerprintAlgorithm SHA256

On all platforms, you can the new NuGet.org repository signing certificate by adding the following elements that includes both the old and new certificates to your nuget.config:

<trustedSigners>
  <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
    <certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
    <certificate fingerprint="5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
  </repository>
</trustedSigners>

NuGet.exe verify

If you use NuGet.exe verify to verify that a signed package is repository signed by NuGet.org, you’ll need to update the command to handle either certificate like so:

NuGet.exe verify -Signatures <PackagePath> -CertificateFingerprint "0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D;5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4"

dotnet nuget verify

Similarly, if you use dotnet nuget verify to verify that a signed package is repository signed by NuGet.org, you’ll need to update the command to handle either certificate like so:

dotnet nuget verify <PackagePath> --certificate-fingerprint 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D --certificate-fingerprint 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4

Feedback

If you have any questions about how you may be impacted or run into issues while following the steps above, please don’t hesitate to contact us.

For more general NuGet feedback and suggestions:

1 comment

Comments are closed. Login to edit/delete your existing comments

  • Marvin Andrés Marín Valencia
    Marvin Andrés Marín Valencia

    @nuget Any problem with the platform?
    I am trying to download the package from visual studio 2019 profesional: microsoft.EntityFrameworkCore.SqlServer. But the message is error. “Can’t find the package” Microsoft.Win32.Registry.4.7.0