Ubuntu Manpage: This article applies to: ✔️ .NET 6 SDK and later versions

Provided by: dotnet-host-9.0_9.0.7-0ubuntu1~25.04.1_amd64

dotnet nuget sign

       This article applies to: ✔️ .NET 6 SDK and later versions

NAME

       dotnet-nuget-sign - Signs all the NuGet packages matching the first argument with a certificate.

SYNOPSIS

              dotnet nuget sign [<package-path(s)>]
                  [--certificate-path <PATH>]
                  [--certificate-store-name <STORENAME>]
                  [--certificate-store-location <STORELOCATION>]
                  [--certificate-subject-name <SUBJECTNAME>]
                  [--certificate-fingerprint <FINGERPRINT>]
                  [--certificate-password <PASSWORD>]
                  [--hash-algorithm <HASHALGORITHM>]
                  [-o|--output <OUTPUT DIRECTORY>]
                  [--overwrite]
                  [--timestamp-hash-algorithm <HASHALGORITHM>]
                  [--timestamper <TIMESTAMPINGSERVER>]
                  [-v|--verbosity <LEVEL>]

              dotnet nuget sign -h|--help

DESCRIPTION

       The dotnet nuget sign command signs all the packages matching the first argument with a certificate.  The
       certificate  with  the  private key can be obtained from a file or from a certificate installed in a cer‐
       tificate store by providing a subject name or a SHA-1 fingerprint.

              This command requires a certificate root store that is valid for both code signing and  timestamp‐
              ing.   Also,  this  command may not be supported on some combinations of operating system and .NET
              SDK.  For more information, see NuGet signed package verification.

ARGUMENTS

       • package-path(s)

         Specifies the file path to the package(s) to be signed.  Multiple arguments can be passed  in  to  sign
         multiple packages.

OPTIONS

• --certificate-path <PATH>

Specifies the file path to the certificate to be used in signing the package.

This option currently supports only PKCS12 (PFX) files that contain the certificate’s private
key.

• --certificate-store-name <STORENAME>

Specifies the name of the X.509 certificate store to use to search for the certificate. Defaults to
:::no-loc text=“"My"”:::, the X.509 certificate store for personal certificates. This option should be
used when specifying the certificate via --certificate-subject-name or --certificate-fingerprint op‐
tions.

• --certificate-store-location <STORELOCATION>

Specifies the name of the X.509 certificate store use to search for the certificate. Defaults to
:::no-loc text=“"CurrentUser"”:::, the X.509 certificate store used by the current user. This option
should be used when specifying the certificate via --certificate-subject-name or --certificate-finger‐
print options.

• --certificate-subject-name <SUBJECTNAME>

Specifies the subject name of the certificate used to search a local certificate store for the certifi‐
cate. The search is a case-insensitive string comparison using the supplied value, which finds all
certificates with the subject name containing that string, regardless of other subject values. The
certificate store can be specified by --certificate-store-name and --certificate-store-location op‐
tions.

This option currently supports only a single matching certificate in the result. If there are
multiple matching certificates in the result, or no matching certificate in the result, the sign
command will fail.

• --certificate-fingerprint <FINGERPRINT>

Specifies the fingerprint of the certificate used to search a local certificate store for the certifi‐
cate.

Starting with .NET 9, this option can be used to specify the SHA-1, SHA-256, SHA-384, or SHA-512 fin‐
gerprint of the certificate. However, a NU3043 warning is raised when a SHA-1 certificate fingerprint
is used because it is no longer considered secure.

All the previous versions of the .NET SDK continue to accept only SHA-1 certificate fingerprint.

• --certificate-password <PASSWORD>

Specifies the certificate password, if needed. If a certificate is password protected but no password
is provided, the sign command will fail.

The sign command only supports non-interactive mode. There won’t be any prompt for a password
at run time.

• --hash-algorithm <HASHALGORITHM>

Hash algorithm to be used to sign the package. Defaults to SHA256. Possible values are SHA256,
SHA384, and SHA512.

• -o|--output

Specifies the directory where the signed package should be saved. If this option isn’t specified, by
default the original package is overwritten by the signed package.

• --overwrite

Indicate that the current signature should be overwritten. By default the command will fail if the
package already has a signature.

• --timestamp-hash-algorithm <HASHALGORITHM>

Hash algorithm to be used by the RFC 3161 timestamp server. Defaults to SHA256.

• --timestamper <TIMESTAMPINGSERVER>

URL to an RFC 3161 timestamping server.

• -v|--verbosity <LEVEL>

Sets the verbosity level of the command. Allowed values are q[uiet], m[inimal], n[ormal], d[etailed],
and diag[nostic]. The default is minimal. For more information, see <xref:Microsoft.Build.Frame‐
work.LoggerVerbosity>.

• -?|-h|--help

Prints out a description of how to use the command.

EXAMPLES

       • Sign foo.nupkg with certificate cert.pfx (not password protected):

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx

       • Sign foo.nupkg with certificate cert.pfx (password protected):

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password

       • Sign  foo.nupkg  with  certificate (password protected) matches with the specified SHA-1 fingerprint in
         the default certificate store (CurrentUser):

                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password

       • Sign foo.nupkg with certificate (password protected) matches with the specified subject name  :::no-loc
         text=“"Test certificate for testing signing"”::: in the default certificate store (CurrentUser):

                dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password

       • Sign  foo.nupkg  with  certificate (password protected) matches with the specified SHA-1 fingerprint in
         the certificate store CurrentUser:

                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root

       • Sign multiple NuGet packages - foo.nupkg and all .nupkg files in the directory specified with  certifi‐
         cate cert.pfx (not password protected):

                dotnet nuget sign foo.nupkg c:\mydir\*.nupkg --certificate-path cert.pfx

       • Sign  foo.nupkg  with  certificate  cert.pfx  (password  protected),  and  timestamp  with http://time‐
         stamp.test:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password --timestamper http://timestamp.test

       • Sign foo.nupkg with certificate cert.pfx (not password protected) and save  the  signed  package  under
         specified directory:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --output c:\signed\

       • Sign  foo.nupkg  with certificate cert.pfx (not password protected) and overwrite the current signature
         if the package is already signed:

                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --overwrite

                                                   2024-10-02                               dotnet-nuget-sign(1)