1(1) .NET (1)
2
3
4
6 This article applies to: ✔️ .NET 6.0 Preview 5 SDK and later versions
7
9 dotnet nuget sign - Signs all the NuGet packages matching the first ar‐
10 gument with a certificate.
11
13 dotnet nuget sign [<package-path(s)>]
14 [--certificate-path <PATH>]
15 [--certificate-store-name <STORENAME>]
16 [--certificate-store-location <STORELOCATION>]
17 [--certificate-subject-name <SUBJECTNAME>]
18 [--certificate-fingerprint <FINGERPRINT>]
19 [--certificate-password <PASSWORD>]
20 [--hash-algorithm <HASHALGORITHM>]
21 [-o|--output <OUTPUT DIRECTORY>]
22 [--overwrite]
23 [--timestamp-hash-algorithm <HASHALGORITHM>]
24 [--timestamper <TIMESTAMPINGSERVER>]
25 [-v|--verbosity <LEVEL>]
26
27 dotnet nuget sign -h|--help
28
30 The dotnet nuget sign command signs all the packages matching the first
31 argument with a certificate. The certificate with the private key can
32 be obtained from a file or from a certificate installed in a certifi‐
33 cate store by providing a subject name or a SHA-1 fingerprint.
34
35 Arguments
36 • package-path(s)
37
38 Specifies the file path to the package(s) to be signed. Multiple ar‐
39 guments can be passed in to sign multiple packages.
40
42 • --certificate-path <PATH>
43
44 Specifies the file path to the certificate to be used in signing the
45 package.
46
47 [!NOTE] This option currently supports only PKCS12 (PFX) files
48 that contain the certificate’s private key.
49
50 • --certificate-store-name <STORENAME>
51
52 Specifies the name of the X.509 certificate store to use to search
53 for the certificate. Defaults to :::no-loc text=“"My"”:::, the X.509
54 certificate store for personal certificates. This option should be
55 used when specifying the certificate via --certificate-subject-name
56 or --certificate-fingerprint options.
57
58 • --certificate-store-location <STORELOCATION>
59
60 Specifies the name of the X.509 certificate store use to search for
61 the certificate. Defaults to :::no-loc text=“"CurrentUser"”:::, the
62 X.509 certificate store used by the current user. This option should
63 be used when specifying the certificate via --certificate-subject-
64 name or --certificate-fingerprint options.
65
66 • --certificate-subject-name <SUBJECTNAME>
67
68 Specifies the subject name of the certificate used to search a local
69 certificate store for the certificate. The search is a case-insensi‐
70 tive string comparison using the supplied value, which will find all
71 certificates with the subject name containing that string, regardless
72 of other subject values. The certificate store can be specified by
73 --certificate-store-name and --certificate-store-location options.
74
75 [!NOTE] This option currently supports only a single matching
76 certificate in the result. If there are multiple matching
77 certificates in the result, or no matching certificate in the
78 result, the sign command will fail.
79
80 • --certificate-fingerprint <FINGERPRINT>
81
82 SHA-1 fingerprint of the certificate used to search a local certifi‐
83 cate store for the certificate.
84
85 • --certificate-password <PASSWORD>
86
87 Specifies the certificate password, if needed. If a certificate is
88 password protected but no password is provided, the sign command will
89 fail.
90
91 [!NOTE] The sign command only supports non-interactive mode.
92 There won’t be any prompt for a password at run time.
93
94 • --hash-algorithm <HASHALGORITHM>
95
96 Hash algorithm to be used to sign the package. Defaults to SHA256.
97 Possible values are SHA256, SHA384, and SHA512.
98
99 • -o|--output
100
101 Specifies the directory where the signed package should be saved. If
102 this option is not specified, by default the original package is
103 overwritten by the signed package.
104
105 • --overwrite
106
107 Indicate that the current signature should be overwritten. By de‐
108 fault the command will fail if the package already has a signature.
109
110 • --timestamp-hash-algorithm <HASHALGORITHM>
111
112 Hash algorithm to be used by the RFC 3161 timestamp server. Defaults
113 to SHA256.
114
115 • --timestamper <TIMESTAMPINGSERVER>
116
117 URL to an RFC 3161 timestamping server.
118
119 • -v|--verbosity <LEVEL>
120
121 Sets the verbosity level of the command. Allowed values are q[uiet],
122 m[inimal], n[ormal], d[etailed], and diag[nostic]. The default is
123 minimal. For more information, see <xref:Microsoft.Build.Frame‐
124 work.LoggerVerbosity>.
125
126 • -?|-h|--help
127
128 Prints out a description of how to use the command.
129
131 • Sign foo.nupkg with certificate cert.pfx (not password protected):
132
133 dotnet nuget sign foo.nupkg --certificate-path cert.pfx
134
135 • Sign foo.nupkg with certificate cert.pfx (password protected):
136
137 dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password
138
139 • Sign foo.nupkg with certificate (password protected) matches with the
140 specified SHA-1 fingerprint in the default certificate store (Curren‐
141 tUser):
142
143 dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password
144
145 • Sign foo.nupkg with certificate (password protected) matches with the
146 specified subject name :::no-loc text=“"Test certificate for testing
147 signing"”::: in the default certificate store (CurrentUser):
148
149 dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password
150
151 • Sign foo.nupkg with certificate (password protected) matches with the
152 specified SHA-1 fingerprint in the certificate store CurrentUser:
153
154 dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root
155
156 • Sign multiple NuGet packages - foo.nupkg and all .nupkg files in the
157 directory specified with certificate cert.pfx (not password protect‐
158 ed):
159
160 dotnet nuget sign foo.nupkg c:\mydir\*.nupkg --certificate-path cert.pfx
161
162 • Sign foo.nupkg with certificate cert.pfx (password protected), and
163 timestamp with http://timestamp.test:
164
165 dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password --timestamper http://timestamp.test
166
167 • Sign foo.nupkg with certificate cert.pfx (not password protected) and
168 save the signed package under specified directory:
169
170 dotnet nuget sign foo.nupkg --certificate-path cert.pfx --output c:\signed\
171
172 • Sign foo.nupkg with certificate cert.pfx (not password protected) and
173 overwrite the current signature if the package is already signed:
174
175 dotnet nuget sign foo.nupkg --certificate-path cert.pfx --overwrite
176
177
178
179 (1)