sign command (NuGet CLI)
Applies to: package creation • Supported versions: 4.6+
Signs all the packages matching the first argument with a certificate. The certificate with the private key can be obtained from a file or from a certificate installed in a certificate store by providing a subject name or a thumbprint.
Note
Package signing is not yet supported in .NET Core, under Mono, or on non-Windows platforms.
Usage
nuget sign <package(s)> [options]
where <package(s)> is one or more .nupkg files.
Options
-CertificateFingerprintSpecifies the SHA-1 fingerprint of the certificate used to search a local certificate store for the certificate.
-CertificatePasswordSpecifies the certificate password, if needed. If a certificate is password protected but no password is provided, the command will prompt for a password at run time, unless the
-NonInteractiveoption is passed.-CertificatePathSpecifies the file path to the certificate to be used in signing the package.
-CertificateStoreLocationSpecifies the name of the X.509 certificate store use to search for the certificate. Defaults to "CurrentUser", the X.509 certificate store used by the current user. This option should be used when specifying the certificate via
-CertificateSubjectNameor-CertificateFingerprintoptions.-CertificateStoreNameSpecifies the name of the X.509 certificate store to use to search for the certificate. Defaults to "My", the X.509 certificate store for personal certificates. This option should be used when specifying the certificate via
-CertificateSubjectNameor-CertificateFingerprintoptions.-CertificateSubjectNameSpecifies the subject name of the certificate used to search a local certificate store for the certificate. The search is a case-insensitive string comparison using the supplied value, which will find all certificates with the subject name containing that string, regardless of other subject values. The certificate store can be specified by
-CertificateStoreNameand-CertificateStoreLocationoptions.-ConfigFileThe NuGet configuration file to apply. If not specified,
%AppData%\NuGet\NuGet.Config(Windows), or~/.nuget/NuGet/NuGet.Configor~/.config/NuGet/NuGet.Config(Mac/Linux) is used.-ForceEnglishOutputForces nuget.exe to run using an invariant, English-based culture.
-HashAlgorithmHash algorithm to be used to sign the package. Defaults to SHA256. Possible values are SHA256, SHA384, and SHA512.
-?|-helpDisplays help information for the command.
-NonInteractiveSuppresses prompts for user input or confirmations.
-OutputDirectorySpecifies the directory where the signed package should be saved. By default the original package is overwritten by the signed package.
-OverwriteSwitch to indicate if the current signature should be overwritten. By default the command will fail if the package already has a signature.
-TimestamperURL to an RFC 3161 timestamping server.
-TimestampHashAlgorithmHash algorithm to be used by the RFC 3161 timestamp server. Defaults to SHA256.
-Verbosity [normal|quiet|detailed]Specifies the amount of detail displayed in the output:
normal(the default),quiet, ordetailed.
Examples
nuget sign MyPackage.nupkg -CertificatePath .\..\certificate.pfx -Timestamper http://timestamp.test
nuget sign .\..\MyPackage.nupkg -CertificateStoreLocation CurrentUser -CertificateStoreName My -CertificateSubjectName 'subject name' -Timestamper http://timestamp.test -OutputDirectory .\..\Signed
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for