NuGet package signatures

Jan 1, 0001

Definition

NuGet package signatures are cryptographic signatures that ensure the integrity and authenticity of NuGet packages. By signing a package, the author provides a way for consumers to verify that the package has not been tampered with and that it originates from a trusted source. This process involves using a certificate to create a digital signature, which is then embedded in the package metadata.

Secure Settings Example

{
  "signatureValidationMode": "require",
  "trustedSigners": [
    {
      "name": "MyCompany",
      "certificateFingerprint": "3F:2B:7C:4D:5E:6F:7A:8B:9C:0D:1E:2F:3A:4B:5C:6D:7E:8F:9A:0B",
      "allowUntrustedRoot": false
    }
  ]
}

Insecure Settings Example

{
  "signatureValidationMode": "accept",
  "trustedSigners": []
}

NuGet package signatures

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter