Package signing

Status: Reviewing

This specification is one part of a new experience for package signing described in the blog post: NuGet Package Signing.

Package Signatures Master Spec List

Here you can find a list of the relevant specifications. Some of these require more work and details to be added, that we plan to do shortly – while some are further along. They are grouped by the three stages described in the blog post NuGet Package Signing.

The work for this feature and the discussion around the spec is tracked here: #2577 Package Signing

Stage 1. Enable package authors to sign their packages

Author Package Signing: Describes the user experience for producing and consuming signed packages.
- https://github.com/NuGet/Home/wiki/Author-Package-Signing.
- Discuss #5889
NuGet.exe Sign Command: Describes the CLI commands in NuGet.exe to sign packages
- https://github.com/NuGet/Home/wiki/NuGet-Sign-Command
- Discuss #5907
Package Signatures Technical Details: Contains the signature format technical details
- https://github.com/NuGet/Home/wiki/Package-Signatures-Technical-Details
- Discuss (TBD)

Stage 2. Tamper proofing entire package dependency graphs

NuGet Server Checksums [TBD]

Stage 3. Configurable policies to enable locked down developer environments

NuGet client security policy. [TBD]
NuGet server security policy. [TBD]

Contributing

What's Being Worked On?

Check out the proposals in the accepted & proposed folders on the repository, and active PRs for proposals being discussed today.

Living Roadmap

Common Problems

Azure DevOps Artifacts authentication issues

Provide feedback

Saved searches

Use saved searches to filter your results more quickly