Provided by: dotnet-host-9.0_9.0.0-rtm+build1-0ubuntu1_amd64 bug

dotnet nuget sign

       This article applies to: ✔️ .NET 6 SDK and later versions

NAME

       dotnet-nuget-sign  -  Signs  all  the  NuGet  packages  matching the first argument with a
       certificate.

SYNOPSIS

              dotnet nuget sign [<package-path(s)>]
                  [--certificate-path <PATH>]
                  [--certificate-store-name <STORENAME>]
                  [--certificate-store-location <STORELOCATION>]
                  [--certificate-subject-name <SUBJECTNAME>]
                  [--certificate-fingerprint <FINGERPRINT>]
                  [--certificate-password <PASSWORD>]
                  [--hash-algorithm <HASHALGORITHM>]
                  [-o|--output <OUTPUT DIRECTORY>]
                  [--overwrite]
                  [--timestamp-hash-algorithm <HASHALGORITHM>]
                  [--timestamper <TIMESTAMPINGSERVER>]
                  [-v|--verbosity <LEVEL>]

              dotnet nuget sign -h|--help

DESCRIPTION

       The dotnet nuget sign command signs all the packages matching the first  argument  with  a
       certificate.   The  certificate with the private key can be obtained from a file or from a
       certificate installed in a certificate store by  providing  a  subject  name  or  a  SHA-1
       fingerprint.

              This  command requires a certificate root store that is valid for both code signing
              and timestamping.  Also, this command may not be supported on some combinations  of
              operating  system  and  .NET  SDK.   For more information, see NuGet signed package
              verification.

ARGUMENTS

package-path(s)

         Specifies the file path to the package(s) to  be  signed.   Multiple  arguments  can  be
         passed in to sign multiple packages.

OPTIONS

--certificate-path <PATH>

         Specifies the file path to the certificate to be used in signing the package.

                This  option  currently  supports  only  PKCS12  (PFX)  files  that  contain  the
                certificate’s private key.

       • --certificate-store-name <STORENAME>

         Specifies the name of the X.509 certificate store to use to search for the  certificate.
         Defaults   to  :::no-loc  text=“"My"”:::,  the  X.509  certificate  store  for  personal
         certificates.   This  option  should  be  used  when  specifying  the  certificate   via
         --certificate-subject-name or --certificate-fingerprint options.

       • --certificate-store-location <STORELOCATION>

         Specifies  the  name  of  the X.509 certificate store use to search for the certificate.
         Defaults to :::no-loc text=“"CurrentUser"”:::, the X.509 certificate store used  by  the
         current  user.   This  option  should  be  used  when  specifying  the  certificate  via
         --certificate-subject-name or --certificate-fingerprint options.

       • --certificate-subject-name <SUBJECTNAME>

         Specifies the subject name of the certificate used to search a local  certificate  store
         for  the  certificate.   The  search  is  a case-insensitive string comparison using the
         supplied value, which finds all certificates  with  the  subject  name  containing  that
         string,  regardless  of other subject values.  The certificate store can be specified by
         --certificate-store-name and --certificate-store-location options.

                This option currently supports only a single matching certificate in the  result.
                If  there  are  multiple  matching  certificates  in  the  result, or no matching
                certificate in the result, the sign command will fail.

       • --certificate-fingerprint <FINGERPRINT>

         Specifies the fingerprint of the certificate used to search a  local  certificate  store
         for the certificate.

         Starting with .NET 9, this option can be used to specify the SHA-1, SHA-256, SHA-384, or
         SHA-512 fingerprint of the certificate.  However, a NU3043  warning  is  raised  when  a
         SHA-1 certificate fingerprint is used because it is no longer considered secure.

         All  the  previous  versions  of  the .NET SDK continue to accept only SHA-1 certificate
         fingerprint.

       • --certificate-password <PASSWORD>

         Specifies the certificate password, if needed.  If a certificate is  password  protected
         but no password is provided, the sign command will fail.

                The  sign  command only supports non-interactive mode.  There won’t be any prompt
                for a password at run time.

       • --hash-algorithm <HASHALGORITHM>

         Hash algorithm to be used to sign the package.  Defaults to SHA256.  Possible values are
         SHA256, SHA384, and SHA512.

       • -o|--output

         Specifies  the directory where the signed package should be saved.  If this option isn’t
         specified, by default the original package is overwritten by the signed package.

       • --overwrite

         Indicate that the current signature should be overwritten.  By default the command  will
         fail if the package already has a signature.

       • --timestamp-hash-algorithm <HASHALGORITHM>

         Hash algorithm to be used by the RFC 3161 timestamp server.  Defaults to SHA256.

       • --timestamper <TIMESTAMPINGSERVER>

         URL to an RFC 3161 timestamping server.

       • -v|--verbosity <LEVEL>

         Sets  the  verbosity  level  of  the  command.   Allowed  values are q[uiet], m[inimal],
         n[ormal], d[etailed], and diag[nostic].  The default is minimal.  For more  information,
         see <xref:Microsoft.Build.Framework.LoggerVerbosity>.

       • -?|-h|--help

         Prints out a description of how to use the command.

EXAMPLES

       • Sign foo.nupkg with certificate cert.pfx (not password protected):

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx

       • Sign foo.nupkg with certificate cert.pfx (password protected):

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password

       • Sign  foo.nupkg  with  certificate (password protected) matches with the specified SHA-1
         fingerprint in the default certificate store (CurrentUser):

                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password

       • Sign foo.nupkg with certificate (password protected) matches with the specified  subject
         name   :::no-loc  text=“"Test  certificate  for  testing  signing"”:::  in  the  default
         certificate store (CurrentUser):

                dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password

       • Sign foo.nupkg with certificate (password protected) matches with  the  specified  SHA-1
         fingerprint in the certificate store CurrentUser:

                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root

       • Sign multiple NuGet packages - foo.nupkg and all .nupkg files in the directory specified
         with certificate cert.pfx (not password protected):

                dotnet nuget sign foo.nupkg c:\mydir\*.nupkg --certificate-path cert.pfx

       • Sign foo.nupkg with  certificate  cert.pfx  (password  protected),  and  timestamp  with
         http://timestamp.test:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password --timestamper http://timestamp.test

       • Sign  foo.nupkg  with  certificate cert.pfx (not password protected) and save the signed
         package under specified directory:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --output c:\signed\

       • Sign foo.nupkg with certificate cert.pfx (not  password  protected)  and  overwrite  the
         current signature if the package is already signed:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --overwrite

                                            2024-10-02                       dotnet-nuget-sign(1)