Provided by: dotnet-host-9.0_9.0.0-rtm+build1-0ubuntu1_amd64 
dotnet nuget verify
This article applies to: ✔️ .NET 5.0.100-rc.2.x SDK and later versions
NAME
dotnet-nuget-verify - Verifies a signed NuGet package.
SYNOPSIS
dotnet nuget verify [<package-path(s)>]
[--all]
[--certificate-fingerprint <FINGERPRINT>]
[-v|--verbosity <LEVEL>]
[--configfile <FILE>]
dotnet nuget verify -h|--help
DESCRIPTION
The dotnet nuget verify command verifies a signed NuGet package.
This command requires a certificate root store that is valid for both code signing
and timestamping. Also, this command may not be supported on some combinations of
operating system and .NET SDK. For more information, see NuGet signed package
verification.
ARGUMENTS
• package-path(s)
Specifies the file path to the package(s) to be verified. Multiple position arguments
can be passed in to verify multiple packages.
OPTIONS
• --all
Specifies that all verifications possible should be performed on the package(s). By
default, only signatures are verified.
This command currently supports only signature verification.
• --certificate-fingerprint <FINGERPRINT>
Verify that the signer certificate matches with one of the specified SHA256
fingerprints. This option can be supplied multiple times to provide multiple
fingerprints.
• -v|--verbosity <LEVEL>
Sets the verbosity level of the command. Allowed values are q[uiet], m[inimal],
n[ormal], d[etailed], and diag[nostic]. The default is minimal. For more information,
see <xref:Microsoft.Build.Framework.LoggerVerbosity>.
The following table shows what is displayed for each verbosity level.
q[uiet] m[inimal] n[ormal] d[etailed] diag[nostic]
───────────────────────────────────────────────────────────────────────────────
Certificate ❌ ❌ ❌ ✔️ ✔️
chain
Information
Path to ❌ ❌ ✔️ ✔️ ✔️
package being
verified
Hashing ❌ ❌ ✔️ ✔️ ✔️
algorithm used
for signature
Author/Repository ❌ ❌ ✔️ ✔️ ✔️
Certificate ->
SHA1 hash
Author/Repository ❌ ❌ ✔️ ✔️ ✔️
Certificate ->
Issued By
Timestamp ❌ ❌ ✔️ ✔️ ✔️
Certificate ->
Issued By
Timestamp ❌ ❌ ✔️ ✔️ ✔️
Certificate ->
SHA-256 hash
Timestamp ❌ ❌ ✔️ ✔️ ✔️
Certificate ->
Validity period
Timestamp ❌ ❌ ✔️ ✔️ ✔️
Certificate ->
SHA1 hash
Timestamp ❌ ❌ ✔️ ✔️ ✔️
Certificate ->
Subject name
Author/Repository ❌ ✔️ ✔️ ✔️ ✔️
Certificate ->
Subject name
Author/Repository ❌ ✔️ ✔️ ✔️ ✔️
Certificate ->
SHA-256 hash
Author/Repository ❌ ✔️ ✔️ ✔️ ✔️
Certificate ->
Validity period
Author/Repository ❌ ✔️ ✔️ ✔️ ✔️
Certificate ->
Service index URL
(If applicable)
Package name ❌ ✔️ ✔️ ✔️ ✔️
being verified
Type of signature ❌ ✔️ ✔️ ✔️ ✔️
(author or
repository)
❌ indicates details that are not displayed. ✔️ indicates details that are displayed.
• --configfile <FILE>
The NuGet configuration file (nuget.config) to use. If specified, only the settings
from this file will be used. If not specified, the hierarchy of configuration files
from the current directory will be used. For more information, see Common NuGet
Configurations.
• -?|-h|--help
Prints out a description of how to use the command.
EXAMPLES
• Verify foo.nupkg:
dotnet nuget verify foo.nupkg
• Verify multiple NuGet packages - foo.nupkg and all .nupkg files in the directory
specified:
dotnet nuget verify foo.nupkg c:\mydir\*.nupkg
• Verify foo.nupkg signature matches with the specified certificate fingerprint:
dotnet nuget verify foo.nupkg --certificate-fingerprint CE40881FF5F0AD3E58965DA20A9F571EF1651A56933748E1BF1C99E537C4E039
• Verify foo.nupkg signature matches with one of the specified certificate fingerprints:
dotnet nuget verify foo.nupkg --certificate-fingerprint CE40881FF5F0AD3E58965DA20A9F571EF1651A56933748E1BF1C99E537C4E039 --certificate-fingerprint EC10992GG5F0AD3E58965DA20A9F571EF1651A56933748E1BF1C99E537C4E027
• Verify the signature of foo.nupkg by using settings (packagesources and trustedSigners)
only from the specified nuget.config file:
dotnet nuget verify foo.nupkg --configfile ..\Settings\nuget.config
2024-10-02 dotnet-nuget-verify(1)