1dotnet-nuget-sign(1)          .NET Documentation          dotnet-nuget-sign(1)
2
3
4

dotnet nuget sign

6       This article applies to: ✔️ .NET 6 SDK and later versions
7

NAME

9       dotnet-nuget-sign - Signs all the NuGet packages matching the first ar‐
10       gument with a certificate.
11

SYNOPSIS

13              dotnet nuget sign [<package-path(s)>]
14                  [--certificate-path <PATH>]
15                  [--certificate-store-name <STORENAME>]
16                  [--certificate-store-location <STORELOCATION>]
17                  [--certificate-subject-name <SUBJECTNAME>]
18                  [--certificate-fingerprint <FINGERPRINT>]
19                  [--certificate-password <PASSWORD>]
20                  [--hash-algorithm <HASHALGORITHM>]
21                  [-o|--output <OUTPUT DIRECTORY>]
22                  [--overwrite]
23                  [--timestamp-hash-algorithm <HASHALGORITHM>]
24                  [--timestamper <TIMESTAMPINGSERVER>]
25                  [-v|--verbosity <LEVEL>]
26
27              dotnet nuget sign -h|--help
28

DESCRIPTION

30       The dotnet nuget sign command signs all the packages matching the first
31       argument  with a certificate.  The certificate with the private key can
32       be obtained from a file or from a certificate installed in  a  certifi‐
33       cate store by providing a subject name or a SHA-1 fingerprint.
34
35              This  command requires a certificate root store that’s valid for
36              both code signing and timestamping.  For more  information,  see
37              NuGet signed package verification.
38

ARGUMENTS

40package-path(s)
41
42         Specifies the file path to the package(s) to be signed.  Multiple ar‐
43         guments can be passed in to sign multiple packages.
44

OPTIONS

46--certificate-path <PATH>
47
48         Specifies the file path to the certificate to be used in signing  the
49         package.
50
51                This  option  currently  supports only PKCS12 (PFX) files that
52                contain the certificate’s private key.
53
54--certificate-store-name <STORENAME>
55
56         Specifies the name of the X.509 certificate store to  use  to  search
57         for the certificate.  Defaults to :::no-loc text=“"My"”:::, the X.509
58         certificate store for personal certificates.  This option  should  be
59         used  when  specifying the certificate via --certificate-subject-name
60         or --certificate-fingerprint options.
61
62--certificate-store-location <STORELOCATION>
63
64         Specifies the name of the X.509 certificate store use to  search  for
65         the  certificate.  Defaults to :::no-loc text=“"CurrentUser"”:::, the
66         X.509 certificate store used by the current user.  This option should
67         be  used  when  specifying the certificate via --certificate-subject-
68         name or --certificate-fingerprint options.
69
70--certificate-subject-name <SUBJECTNAME>
71
72         Specifies the subject name of the certificate used to search a  local
73         certificate store for the certificate.  The search is a case-insensi‐
74         tive string comparison using the supplied value, which will find  all
75         certificates with the subject name containing that string, regardless
76         of other subject values.  The certificate store can be  specified  by
77         --certificate-store-name and --certificate-store-location options.
78
79                This option currently supports only a single matching certifi‐
80                cate in the result.  If there are multiple  matching  certifi‐
81                cates in the result, or no matching certificate in the result,
82                the sign command will fail.
83
84--certificate-fingerprint <FINGERPRINT>
85
86         SHA-1 fingerprint of the certificate used to search a local  certifi‐
87         cate store for the certificate.
88
89--certificate-password <PASSWORD>
90
91         Specifies  the  certificate password, if needed.  If a certificate is
92         password protected but no password is provided, the sign command will
93         fail.
94
95                The  sign  command  only supports non-interactive mode.  There
96                won’t be any prompt for a password at run time.
97
98--hash-algorithm <HASHALGORITHM>
99
100         Hash algorithm to be used to sign the package.  Defaults  to  SHA256.
101         Possible values are SHA256, SHA384, and SHA512.
102
103-o|--output
104
105         Specifies the directory where the signed package should be saved.  If
106         this option is not specified, by  default  the  original  package  is
107         overwritten by the signed package.
108
109--overwrite
110
111         Indicate  that  the  current signature should be overwritten.  By de‐
112         fault the command will fail if the package already has a signature.
113
114--timestamp-hash-algorithm <HASHALGORITHM>
115
116         Hash algorithm to be used by the RFC 3161 timestamp server.  Defaults
117         to SHA256.
118
119--timestamper <TIMESTAMPINGSERVER>
120
121         URL to an RFC 3161 timestamping server.
122
123-v|--verbosity <LEVEL>
124
125         Sets the verbosity level of the command.  Allowed values are q[uiet],
126         m[inimal], n[ormal], d[etailed], and diag[nostic].   The  default  is
127         minimal.   For  more  information,  see  <xref:Microsoft.Build.Frame‐
128         work.LoggerVerbosity>.
129
130-?|-h|--help
131
132         Prints out a description of how to use the command.
133

EXAMPLES

135       • Sign foo.nupkg with certificate cert.pfx (not password protected):
136
137                dotnet nuget sign foo.nupkg --certificate-path cert.pfx
138
139       • Sign foo.nupkg with certificate cert.pfx (password protected):
140
141                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password
142
143       • Sign foo.nupkg with certificate (password protected) matches with the
144         specified SHA-1 fingerprint in the default certificate store (Curren‐
145         tUser):
146
147                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password
148
149       • Sign foo.nupkg with certificate (password protected) matches with the
150         specified  subject name :::no-loc text=“"Test certificate for testing
151         signing"”::: in the default certificate store (CurrentUser):
152
153                dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password
154
155       • Sign foo.nupkg with certificate (password protected) matches with the
156         specified SHA-1 fingerprint in the certificate store CurrentUser:
157
158                dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root
159
160       • Sign  multiple NuGet packages - foo.nupkg and all .nupkg files in the
161         directory specified with certificate cert.pfx (not password  protect‐
162         ed):
163
164                dotnet nuget sign foo.nupkg c:\mydir\*.nupkg --certificate-path cert.pfx
165
166       • Sign  foo.nupkg  with  certificate cert.pfx (password protected), and
167         timestamp with http://timestamp.test:
168
169                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password --timestamper http://timestamp.test
170
171       • Sign foo.nupkg with certificate cert.pfx (not password protected) and
172         save the signed package under specified directory:
173
174                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --output c:\signed\
175
176       • Sign foo.nupkg with certificate cert.pfx (not password protected) and
177         overwrite the current signature if the package is already signed:
178
179                dotnet nuget sign foo.nupkg --certificate-path cert.pfx --overwrite
180
181
182
183                                  2022-11-08              dotnet-nuget-sign(1)
Impressum