dotnet-nuget-sign(1)

1(1)                                  .NET                                  (1)
2
3
4

dotnet nuget sign

6       This article applies to: ✔️ .NET 6.0 Preview 5 SDK and later versions
7

NAME

9       dotnet nuget sign - Signs all the NuGet packages matching the first ar‐
10       gument with a certificate.
11

SYNOPSIS

13              dotnet nuget sign [<package-path(s)>]
14                  [--certificate-path <PATH>]
15                  [--certificate-store-name <STORENAME>]
16                  [--certificate-store-location <STORELOCATION>]
17                  [--certificate-subject-name <SUBJECTNAME>]
18                  [--certificate-fingerprint <FINGERPRINT>]
19                  [--certificate-password <PASSWORD>]
20                  [--hash-algorithm <HASHALGORITHM>]
21                  [-o|--output <OUTPUT DIRECTORY>]
22                  [--overwrite]
23                  [--timestamp-hash-algorithm <HASHALGORITHM>]
24                  [--timestamper <TIMESTAMPINGSERVER>]
25                  [-v|--verbosity <LEVEL>]
26
27              dotnet nuget sign -h|--help
28

DESCRIPTION

30       The dotnet nuget sign command signs all the packages matching the first
31       argument  with a certificate.  The certificate with the private key can
32       be obtained from a file or from a certificate installed in  a  certifi‐
33       cate store by providing a subject name or a SHA-1 fingerprint.
34
35   Arguments
36       • package-path(s)
37
38         Specifies the file path to the package(s) to be signed.  Multiple ar‐
39         guments can be passed in to sign multiple packages.
40

OPTIONS

42       • --certificate-path <PATH>
43
44         Specifies the file path to the certificate to be used in signing  the
45         package.
46
47                [!NOTE] This option currently supports only PKCS12 (PFX) files
48                that contain the certificate’s private key.
49
50       • --certificate-store-name <STORENAME>
51
52         Specifies the name of the X.509 certificate store to  use  to  search
53         for the certificate.  Defaults to :::no-loc text=“"My"”:::, the X.509
54         certificate store for personal certificates.  This option  should  be
55         used  when  specifying the certificate via --certificate-subject-name
56         or --certificate-fingerprint options.
57
58       • --certificate-store-location <STORELOCATION>
59
60         Specifies the name of the X.509 certificate store use to  search  for
61         the  certificate.  Defaults to :::no-loc text=“"CurrentUser"”:::, the
62         X.509 certificate store used by the current user.  This option should
63         be  used  when  specifying the certificate via --certificate-subject-
64         name or --certificate-fingerprint options.
65
66       • --certificate-subject-name <SUBJECTNAME>
67
68         Specifies the subject name of the certificate used to search a  local
69         certificate store for the certificate.  The search is a case-insensi‐
70         tive string comparison using the supplied value, which will find  all
71         certificates with the subject name containing that string, regardless
72         of other subject values.  The certificate store can be  specified  by
73         --certificate-store-name and --certificate-store-location options.
74
75                [!NOTE]  This option currently supports only a single matching
76                certificate in the result.  If  there  are  multiple  matching
77                certificates  in the result, or no matching certificate in the
78                result, the sign command will fail.
79
80       • --certificate-fingerprint <FINGERPRINT>
81
82         SHA-1 fingerprint of the certificate used to search a local  certifi‐
83         cate store for the certificate.
84
85       • --certificate-password <PASSWORD>
86
87         Specifies  the  certificate password, if needed.  If a certificate is
88         password protected but no password is provided, the sign command will
89         fail.
90
91                [!NOTE]  The  sign command only supports non-interactive mode.
92                There won’t be any prompt for a password at run time.
93
94       • --hash-algorithm <HASHALGORITHM>
95
96         Hash algorithm to be used to sign the package.  Defaults  to  SHA256.
97         Possible values are SHA256, SHA384, and SHA512.
98
99       • -o|--output
100
101         Specifies the directory where the signed package should be saved.  If
102         this option is not specified, by  default  the  original  package  is
103         overwritten by the signed package.
104
105       • --overwrite
106
107         Indicate  that  the  current signature should be overwritten.  By de‐
108         fault the command will fail if the package already has a signature.
109
110       • --timestamp-hash-algorithm <HASHALGORITHM>
111
112         Hash algorithm to be used by the RFC 3161 timestamp server.  Defaults
113         to SHA256.
114
115       • --timestamper <TIMESTAMPINGSERVER>
116
117         URL to an RFC 3161 timestamping server.
118
119       • -v|--verbosity <LEVEL>
120
121         Sets the verbosity level of the command.  Allowed values are q[uiet],
122         m[inimal], n[ormal], d[etailed], and diag[nostic].   The  default  is
123         minimal.   For  more  information,  see  <xref:Microsoft.Build.Frame‐
124         work.LoggerVerbosity>.
125
126       • -?|-h|--help
127
128         Prints out a description of how to use the command.
129

EXAMPLES

131       • Sign foo.nupkg with certificate cert.pfx (not password protected):
132
133                dotnet nuget sign foo.nupkg --certificate-path cert.pfx
134
135       • Sign foo.nupkg with certificate cert.pfx (password protected):
136
137                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password
138
139       • Sign foo.nupkg with certificate (password protected) matches with the
140         specified SHA-1 fingerprint in the default certificate store (Curren‐
141         tUser):
142
143                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password
144
145       • Sign foo.nupkg with certificate (password protected) matches with the
146         specified  subject name :::no-loc text=“"Test certificate for testing
147         signing"”::: in the default certificate store (CurrentUser):
148
149                dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password
150
151       • Sign foo.nupkg with certificate (password protected) matches with the
152         specified SHA-1 fingerprint in the certificate store CurrentUser:
153
154                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root
155
156       • Sign  multiple NuGet packages - foo.nupkg and all .nupkg files in the
157         directory specified with certificate cert.pfx (not password  protect‐
158         ed):
159
160                dotnet nuget sign foo.nupkg c:\mydir\*.nupkg --certificate-path cert.pfx
161
162       • Sign  foo.nupkg  with  certificate cert.pfx (password protected), and
163         timestamp with http://timestamp.test:
164
165                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password --timestamper http://timestamp.test
166
167       • Sign foo.nupkg with certificate cert.pfx (not password protected) and
168         save the signed package under specified directory:
169
170                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --output c:\signed\
171
172       • Sign foo.nupkg with certificate cert.pfx (not password protected) and
173         overwrite the current signature if the package is already signed:
174
175                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --overwrite
176
177
178
179                                                                           (1)