nusign 1.0.0

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet tool install --global nusign --version 1.0.0
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local nusign --version 1.0.0
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=nusign&version=1.0.0
                    


                    

                
nuke :add-package nusign --version 1.0.0

nuget-signing-certs

nuget-signing-certs provides:

  1. A .NET library for NuGet signing certificate generation/validation workflows.
  2. A CLI (nusign) for signing and verifying already-packed NuGet artifacts (.nupkg + .snupkg).

Why this exists

This project is intentionally separate from ed25519.cs:

  • ed25519.cs remains focused on Ed25519 signatures and related key/CSR helpers.
  • nuget-signing-certs focuses on NuGet package-signing workflows that currently require RSA/X.509 code-signing profiles.

Library features

  • Generate self-signed RSA code-signing certificates with secure defaults.
  • Export and import PKCS#12 (.pfx) certificate bundles.
  • Validate certificate profile readiness for NuGet signing requirements:
    • RSA key algorithm and minimum key size.
    • Key Usage (digitalSignature).
    • Extended Key Usage containing codeSigning (1.3.6.1.5.5.7.3.3).
    • Certificate validity window checks.

Library quick start

using Dexcompiler.NuGetSigningCertificates;

var cert = CodeSigningCertificateGenerator.CreateSelfSignedCertificate(
    new CodeSigningCertificateRequest
    {
        SubjectName = "CN=My NuGet Signing Cert",
        KeySizeInBits = 3072
    });

var validation = NuGetSigningCertificateValidator.Validate(cert);
if (!validation.IsValid)
{
    throw new InvalidOperationException(string.Join(Environment.NewLine, validation.Issues.Select(i => i.Message)));
}

byte[] pfx = Pkcs12CertificateStore.Export(cert, "strong-password");

CLI quick start (nusign)

Install as a .NET global tool:

dotnet tool install -g nusign

Then run directly from your shell:

nusign --help

Generate local/dev signing certificate PFX:

nusign generate-dev-cert \
  --output-pfx ./artifacts/dev-signing.pfx \
  --password "<strong-password>" \
  --subject "CN=My NuGet Dev Signing Cert"

Sign packages from another already-packed project:

export NUGET_SIGN_CERT_PASSWORD=<strong-password>
nusign sign \
  --input ../other-project/artifacts \
  --pfx-path ./artifacts/dev-signing.pfx \
  --timestamp-url https://timestamp.digicert.com \
  --overwrite

Verify signatures:

nusign verify --input ../other-project/artifacts

For machine-readable output in CI, add --json to sign, verify, or generate-dev-cert.

Suggested flow for external package signing

  1. Generate or load a signing certificate (.pfx).
  2. Sign the target project output artifacts (.nupkg and .snupkg) with CLI sign.
  3. Run CLI verify to confirm signatures.
  4. Publish signed packages.
Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
1.0.1 125 4/10/2026
1.0.0 104 4/9/2026