Ubuntu Manpage: This article applies to: ✔️ .NET 6 SDK and later versions

Provided by: dotnet-host-10.0_10.0.0-0ubuntu1_amd64

dotnet nuget sign

       This article applies to: ✔️ .NET 6 SDK and later versions

NAME

       dotnet-nuget-sign - Signs all the NuGet packages matching the first argument with a certificate.

SYNOPSIS

              dotnet nuget sign [<package-path(s)>]
                  [--certificate-path <PATH>]
                  [--certificate-store-name <STORENAME>]
                  [--certificate-store-location <STORELOCATION>]
                  [--certificate-subject-name <SUBJECTNAME>]
                  [--certificate-fingerprint <FINGERPRINT>]
                  [--certificate-password <PASSWORD>]
                  [--hash-algorithm <HASHALGORITHM>]
                  [-o|--output <OUTPUT DIRECTORY>]
                  [--overwrite]
                  [--timestamp-hash-algorithm <HASHALGORITHM>]
                  [--timestamper <TIMESTAMPINGSERVER>]
                  [-v|--verbosity <LEVEL>]

              dotnet nuget sign -h|--help

DESCRIPTION

       The dotnet nuget sign command signs all the packages matching the first argument with a certificate.  The
       certificate  with  the  private key can be obtained from a file or from a certificate installed in a cer‐
       tificate store by providing a subject name or a SHA-1 fingerprint.

              This command requires a certificate root store that’s valid for both code signing  and  timestamp‐
              ing.   Also, this command might not be supported on some combinations of operating system and .NET
              SDK.  For more information, see NuGet signed package verification.

ARGUMENTS

       • package-path(s)

         Specifies the file path to the package(s) to be signed.  Multiple arguments can be passed  in  to  sign
         multiple packages.

OPTIONS

• --certificate-path <PATH>

Specifies the file path to the certificate to be used in signing the package.

This option currently supports only PKCS12 (PFX) files that contain the certificate’s private
key.

• --certificate-store-name <STORENAME>

Specifies the name of the X.509 certificate store to use to search for the certificate. Defaults to
:::no-loc text=“"My"”:::, the X.509 certificate store for personal certificates. This option should be
used when specifying the certificate via --certificate-subject-name or --certificate-fingerprint op‐
tions.

• --certificate-store-location <STORELOCATION>

Specifies the name of the X.509 certificate store use to search for the certificate. Defaults to
:::no-loc text=“"CurrentUser"”:::, the X.509 certificate store used by the current user. This option
should be used when specifying the certificate via --certificate-subject-name or --certificate-finger‐
print options.

• --certificate-subject-name <SUBJECTNAME>

Specifies the subject name of the certificate used to search a local certificate store for the certifi‐
cate. The search is a case-insensitive string comparison using the supplied value, which finds all
certificates with the subject name containing that string, regardless of other subject values. The
certificate store can be specified by --certificate-store-name and --certificate-store-location op‐
tions.

This option currently supports only a single matching certificate in the result. If there are
multiple matching certificates in the result, or no matching certificate in the result, the sign
command will fail.

• --certificate-fingerprint <FINGERPRINT>

Specifies the fingerprint of the certificate used to search a local certificate store for the certifi‐
cate.

Starting with .NET 9, this option can be used to specify the SHA-1, SHA-256, SHA-384, or SHA-512 fin‐
gerprint of the certificate. However, a NU3043 warning is raised when a SHA-1 certificate fingerprint
is used because it’s no longer considered secure. In .NET 10 and later versions, the warning is ele‐
vated to an error. Only SHA-2 family fingerprints (SHA-256, SHA-384, and SHA-512) are supported.

All pre-.NET 9 versions of the .NET SDK continue to accept only SHA-1 certificate fingerprint.

• --certificate-password <PASSWORD>

Specifies the certificate password, if needed. If a certificate is password protected but no password
is provided, the sign command will fail.

The sign command only supports non-interactive mode. There won’t be any prompt for a password
at run time.

• --hash-algorithm <HASHALGORITHM>

Hash algorithm to be used to sign the package. Defaults to SHA256. Possible values are SHA256,
SHA384, and SHA512.

• -o|--output

Specifies the directory where the signed package should be saved. If this option isn’t specified, by
default the original package is overwritten by the signed package.

• --overwrite

Indicate that the current signature should be overwritten. By default the command will fail if the
package already has a signature.

• --timestamp-hash-algorithm <HASHALGORITHM>

Hash algorithm to be used by the RFC 3161 timestamp server. Defaults to SHA256.

• --timestamper <TIMESTAMPINGSERVER>

URL to an RFC 3161 timestamping server.

• -v|--verbosity <LEVEL>

Sets the verbosity level of the command. Allowed values are q[uiet], m[inimal], n[ormal], d[etailed],
and diag[nostic]. The default is minimal. For more information, see <xref:Microsoft.Build.Frame‐
work.LoggerVerbosity>.

• -?|-h|--help

Prints out a description of how to use the command.

EXAMPLES

       • Sign foo.nupkg with certificate cert.pfx (not password protected):

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx

       • Sign foo.nupkg with certificate cert.pfx (password protected):

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password

       • Sign foo.nupkg with certificate (password protected) matches with the specified SHA-256 fingerprint  in
         the default certificate store (CurrentUser):

                dotnet nuget sign foo.nupkg --certificate-fingerprint B2C40F2F8775D7B7EBEB76BD5A9D3A4BC3F4B8A4D8D7C5F8A4C6B3E7A9E2D5F1 --certificate-password password

       • Sign  foo.nupkg with certificate (password protected) matches with the specified subject name :::no-loc
         text=“"Test certificate for testing signing"”::: in the default certificate store (CurrentUser):

                dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password

       • Sign foo.nupkg with certificate (password protected) matches with the specified SHA-256 fingerprint  in
         the certificate store CurrentUser:

                dotnet nuget sign foo.nupkg --certificate-fingerprint B2C40F2F8775D7B7EBEB76BD5A9D3A4BC3F4B8A4D8D7C5F8A4C6B3E7A9E2D5F1 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root

       • Sign  multiple NuGet packages - foo.nupkg and all .nupkg files in the directory specified with certifi‐
         cate cert.pfx (not password protected):

                dotnet nuget sign foo.nupkg c:\mydir\*.nupkg --certificate-path cert.pfx

       • Sign foo.nupkg  with  certificate  cert.pfx  (password  protected),  and  timestamp  with  http://time‐
         stamp.test:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password --timestamper http://timestamp.test

       • Sign  foo.nupkg  with  certificate  cert.pfx (not password protected) and save the signed package under
         specified directory:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --output c:\signed\

       • Sign foo.nupkg with certificate cert.pfx (not password protected) and overwrite the  current  signature
         if the package is already signed:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --overwrite

                                                   2025-08-29                               dotnet-nuget-sign(1)