How to implement package signing

How to implement package signing?

  • For every signed package needed to be used (or dependency) one would need to add an author with its ShA256 fingerprint and the source.
  • To find out the fingerprint, download the nuget.exe from here
  • In the command line run the verify -Signing command and package name, for example "nuget.exe verify -Signatures BlankProcess5.1.0.4.nupkg" and you will get the Sha256 fingerprint value, for example if the package was signed by you this value should also be in the nuget.config in the authors node :
1 - Copy.jpg
  • If the package is a Microsoft or nuget.org source (or any other) those repositories should be added with their fingerprint too
  • The complexity is relying in choosing only packages and dependencies that are signed, even if the source is untrusted, any unsigned dependency will lead to failure to install the package. If an error like "Failed to install package..... This package is signed but not by a trusted signer" is generated, then verify the package as shown above and add the signer in nuget.config with the sha256 fingerprint
  • After adding all sources and authors restart the Robot service

1 Like