This article applies to: ✔️ .NET 6 SDK and later versions
dotnet-nuget-sign - Signs all the NuGet packages matching the first argument with a certificate.
dotnet nuget sign [<package-path(s)>]
[--certificate-path <PATH>]
[--certificate-store-name <STORENAME>]
[--certificate-store-location <STORELOCATION>]
[--certificate-subject-name <SUBJECTNAME>]
[--certificate-fingerprint <FINGERPRINT>]
[--certificate-password <PASSWORD>]
[--hash-algorithm <HASHALGORITHM>]
[-o|--output <OUTPUT DIRECTORY>]
[--overwrite]
[--timestamp-hash-algorithm <HASHALGORITHM>]
[--timestamper <TIMESTAMPINGSERVER>]
[-v|--verbosity <LEVEL>]
dotnet nuget sign -h|--help
The dotnet nuget sign command signs all the packages matching the first argument with a certificate. The certificate with the private key can be obtained from a file or from a certificate installed in a certificate store by providing a subject name or a SHA-1 fingerprint.
This command requires a certificate root store that’s valid for both code signing and timestamping. For more information, see NuGet signed package verification.
|
• |
package-path(s) |
Specifies the file path to the package(s) to be signed. Multiple arguments can be passed in to sign multiple packages.
|
• |
--certificate-path <PATH> |
Specifies the file path to the certificate to be used in signing the package.
This option currently supports only PKCS12 (PFX) files that contain the certificate’s private key.
|
• |
--certificate-store-name <STORENAME> |
Specifies the name of the X.509 certificate store to use to search for the certificate. Defaults to :::no-loc text=“"My"”:::, the X.509 certificate store for personal certificates. This option should be used when specifying the certificate via --certificate-subject-name or --certificate-fingerprint options.
|
• |
--certificate-store-location <STORELOCATION> |
Specifies the name of the X.509 certificate store use to search for the certificate. Defaults to :::no-loc text=“"CurrentUser"”:::, the X.509 certificate store used by the current user. This option should be used when specifying the certificate via --certificate-subject-name or --certificate-fingerprint options.
|
• |
--certificate-subject-name <SUBJECTNAME> |
Specifies the subject name of the certificate used to search a local certificate store for the certificate. The search is a case-insensitive string comparison using the supplied value, which will find all certificates with the subject name containing that string, regardless of other subject values. The certificate store can be specified by --certificate-store-name and --certificate-store-location options.
This option currently supports only a single matching certificate in the result. If there are multiple matching certificates in the result, or no matching certificate in the result, the sign command will fail.
|
• |
--certificate-fingerprint <FINGERPRINT> |
SHA-1 fingerprint of the certificate used to search a local certificate store for the certificate.
|
• |
--certificate-password <PASSWORD> |
Specifies the certificate password, if needed. If a certificate is password protected but no password is provided, the sign command will fail.
The sign command only supports non-interactive mode. There won’t be any prompt for a password at run time.
|
• |
--hash-algorithm <HASHALGORITHM> |
Hash algorithm to be used to sign the package. Defaults to SHA256. Possible values are SHA256, SHA384, and SHA512.
|
• |
-o|--output |
Specifies the directory where the signed package should be saved. If this option is not specified, by default the original package is overwritten by the signed package.
|
• |
--overwrite |
Indicate that the current signature should be overwritten. By default the command will fail if the package already has a signature.
|
• |
--timestamp-hash-algorithm <HASHALGORITHM> |
Hash algorithm to be used by the RFC 3161 timestamp server. Defaults to SHA256.
|
• |
--timestamper <TIMESTAMPINGSERVER> |
URL to an RFC 3161 timestamping server.
|
• |
-v|--verbosity <LEVEL> |
Sets the verbosity level of the command. Allowed values are q[uiet], m[inimal], n[ormal], d[etailed], and diag[nostic]. The default is minimal. For more information, see <xref:Microsoft.Build.Framework.LoggerVerbosity>.
|
• |
-?|-h|--help |
Prints out a description of how to use the command.
|
• |
Sign foo.nupkg with certificate cert.pfx (not password protected): |
dotnet nuget sign foo.nupkg --certificate-path cert.pfx
|
• |
Sign foo.nupkg with certificate cert.pfx (password protected): |
dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password
|
• |
Sign foo.nupkg with certificate (password protected) matches with the specified SHA-1 fingerprint in the default certificate store (CurrentUser): |
dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password
|
• |
Sign foo.nupkg with certificate (password protected) matches with the specified subject name :::no-loc text=“"Test certificate for testing signing"”::: in the default certificate store (CurrentUser): |
dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password
|
• |
Sign foo.nupkg with certificate (password protected) matches with the specified SHA-1 fingerprint in the certificate store CurrentUser: |
dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root
|
• |
Sign multiple NuGet packages - foo.nupkg and all .nupkg files in the directory specified with certificate cert.pfx (not password protected): |
dotnet nuget sign foo.nupkg c:\mydir\*.nupkg --certificate-path cert.pfx
|
• |
Sign foo.nupkg with certificate cert.pfx (password protected), and timestamp with http://timestamp.test: |
dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password --timestamper http://timestamp.test
|
• |
Sign foo.nupkg with certificate cert.pfx (not password protected) and save the signed package under specified directory: |
dotnet nuget sign foo.nupkg --certificate-path cert.pfx --output c:\signed\
|
• |
Sign foo.nupkg with certificate cert.pfx (not password protected) and overwrite the current signature if the package is already signed: |
dotnet nuget sign foo.nupkg --certificate-path cert.pfx --overwrite