Provided by: dotnet-host-8.0_8.0.12-0ubuntu1~22.04.1_amd64 bug

dotnet nuget sign
       This article applies to: ✔️ .NET 6 SDK and later versions


NAME
       dotnet-nuget-sign - Signs all the NuGet packages matching the first argument with a certificate.


SYNOPSIS
              dotnet nuget sign [<package-path(s)>]
                  [--certificate-path <PATH>]
                  [--certificate-store-name <STORENAME>]
                  [--certificate-store-location <STORELOCATION>]
                  [--certificate-subject-name <SUBJECTNAME>]
                  [--certificate-fingerprint <FINGERPRINT>]
                  [--certificate-password <PASSWORD>]
                  [--hash-algorithm <HASHALGORITHM>]
                  [-o|--output <OUTPUT DIRECTORY>]
                  [--overwrite]
                  [--timestamp-hash-algorithm <HASHALGORITHM>]
                  [--timestamper <TIMESTAMPINGSERVER>]
                  [-v|--verbosity <LEVEL>]

              dotnet nuget sign -h|--help


DESCRIPTION
       The dotnet nuget sign command signs all the packages matching the first argument with a certificate.  The
       certificate with the private key can be obtained from a  file  or  from  a  certificate  installed  in  a
       certificate store by providing a subject name or a SHA-1 fingerprint.

              This  command  requires  a  certificate  root  store  that  is  valid  for  both  code signing and
              timestamping.  Also, this command may not be supported on some combinations  of  operating  system
              and .NET SDK.  For more information, see NuGet signed package verification.


ARGUMENTS
package-path(s)

         Specifies  the  file  path to the package(s) to be signed.  Multiple arguments can be passed in to sign
         multiple packages.


OPTIONS
--certificate-path <PATH>

         Specifies the file path to the certificate to be used in signing the package.

                This option currently supports only PKCS12 (PFX) files that contain  the  certificate’s  private
                key.

       • --certificate-store-name <STORENAME>

         Specifies  the  name  of the X.509 certificate store to use to search for the certificate.  Defaults to
         :::no-loc text=“"My"”:::, the X.509 certificate store for personal certificates.  This option should be
         used  when  specifying  the  certificate  via  --certificate-subject-name  or --certificate-fingerprint
         options.

       • --certificate-store-location <STORELOCATION>

         Specifies the name of the X.509 certificate store use to  search  for  the  certificate.   Defaults  to
         :::no-loc  text=“"CurrentUser"”:::,  the X.509 certificate store used by the current user.  This option
         should be used  when  specifying  the  certificate  via  --certificate-subject-name  or  --certificate-
         fingerprint options.

       • --certificate-subject-name <SUBJECTNAME>

         Specifies  the  subject  name  of  the  certificate  used  to  search a local certificate store for the
         certificate.  The search is a case-insensitive string comparison using the supplied value, which  finds
         all certificates with the subject name containing that string, regardless of other subject values.  The
         certificate  store  can  be  specified  by  --certificate-store-name  and  --certificate-store-location
         options.

                This  option  currently supports only a single matching certificate in the result.  If there are
                multiple matching certificates in the result, or no matching certificate in the result, the sign
                command will fail.

       • --certificate-fingerprint <FINGERPRINT>

         SHA-1 fingerprint of the certificate used to search a local certificate store for the certificate.

       • --certificate-password <PASSWORD>

         Specifies  the certificate password, if needed.  If a certificate is password protected but no password
         is provided, the sign command will fail.

                The sign command only supports non-interactive mode.  There won’t be any prompt for  a  password
                at run time.

       • --hash-algorithm <HASHALGORITHM>

         Hash  algorithm  to  be  used  to  sign  the package.  Defaults to SHA256.  Possible values are SHA256,
         SHA384, and SHA512.

       • -o|--output

         Specifies the directory where the signed package should be saved.  If this option isn’t  specified,  by
         default the original package is overwritten by the signed package.

       • --overwrite

         Indicate  that  the  current  signature should be overwritten.  By default the command will fail if the
         package already has a signature.

       • --timestamp-hash-algorithm <HASHALGORITHM>

         Hash algorithm to be used by the RFC 3161 timestamp server.  Defaults to SHA256.

       • --timestamper <TIMESTAMPINGSERVER>

         URL to an RFC 3161 timestamping server.

       • -v|--verbosity <LEVEL>

         Sets the verbosity level of the command.  Allowed values are q[uiet], m[inimal], n[ormal],  d[etailed],
         and     diag[nostic].      The     default     is     minimal.      For     more    information,    see
         <xref:Microsoft.Build.Framework.LoggerVerbosity>.

       • -?|-h|--help

         Prints out a description of how to use the command.


EXAMPLES
       • Sign foo.nupkg with certificate cert.pfx (not password protected):

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx

       • Sign foo.nupkg with certificate cert.pfx (password protected):

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password

       • Sign foo.nupkg with certificate (password protected) matches with the specified  SHA-1  fingerprint  in
         the default certificate store (CurrentUser):

                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password

       • Sign  foo.nupkg with certificate (password protected) matches with the specified subject name :::no-loc
         text=“"Test certificate for testing signing"”::: in the default certificate store (CurrentUser):

                dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password

       • Sign foo.nupkg with certificate (password protected) matches with the specified  SHA-1  fingerprint  in
         the certificate store CurrentUser:

                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root

       • Sign  multiple  NuGet  packages  -  foo.nupkg  and  all  .nupkg  files  in the directory specified with
         certificate cert.pfx (not password protected):

                dotnet nuget sign foo.nupkg c:\mydir\*.nupkg --certificate-path cert.pfx

       • Sign   foo.nupkg   with   certificate   cert.pfx   (password    protected),    and    timestamp    with
         http://timestamp.test:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password --timestamper http://timestamp.test

       • Sign  foo.nupkg  with  certificate  cert.pfx (not password protected) and save the signed package under
         specified directory:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --output c:\signed\

       • Sign foo.nupkg with certificate cert.pfx (not password protected) and overwrite the  current  signature
         if the package is already signed:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --overwrite

                                                   2023-10-25                               dotnet-nuget-sign(1)