-
Notifications
You must be signed in to change notification settings - Fork 252
NuGet Verify Command
Status: Review
Task for Specing and Task for execution
Signed packages help with authenticity and integrity of a package when it is being consumed by NuGet users. Currently there is no way to verify that a signature in a package is valid.
All NuGet package authors.
Part of the larger package signing effort.
We will add a first level command to NuGet.exe which will allow package authors and package sources to verify signed NuGet packages.
usage: NuGet verify <package_path> [options]
Verifies a NuGet package.
argument:
package_path - Path to the package(s) that needs to be verified.
options:
-Verbosity <level> - Specifies the level of detail displayed in the output: normal, quiet, detailed
-Signer <cert_fingerprint> … - Verify that the signer certificate matches with one of the specified fingerprints.
A certificate fingerprint is a SHA-1 hash of the certificate used to identify the certificate.
Verify Command returns one of the following exit codes when it terminates.
| Exit code | Description |
|---|---|
| 0 | Execution was successful. |
| 1 | Execution has failed. |
The errors and warnings will be displayed on the console.
- If the package passed to the command is unsigned it should fail.
In future we would like to add support for the following platforms -
-
Dotnet CLI -
dotnet nuget verify <package_path> [Options] -
MSBuild target -
msbuild /t:verifypackage <package_path> [Options]
Please use the tracking issue to provide feedback or any questions that you might have. Thanks!
Check out the proposals in the accepted & proposed folders on the repository, and active PRs for proposals being discussed today.