Skip to content

codeSigning.md

Latest commit

 

History

History
51 lines (35 loc) · 2.78 KB

codeSigning.md

File metadata and controls

51 lines (35 loc) · 2.78 KB

AUthenticode Signing Certificates

Below is a list of the Authenticode Signing certifcates I have used to sign nupkgs, .NET assemblies and executables.

Signing Certificates

Valid From Valid To SHA256 Thumbprint SHA1 Thumbprint
2025-07-25 2026-10-23 40B774C2F613665D25488A568EA06F853054DEE79F1782E7DB5CD7FAEF3F6192 A75A98B54008714D7B76C253C80C23C52E02266E
2024-10-16 2025-10-23 46CC5E52519EC1176A255B2B61851A084166853ADB620AACC7FA29CC660C6221 A64124F02C1066A788445A876CD2B6EA60B9DC39
2023-09-24 2024-10-23 FF6EDE06A9E7182F82A39199D92A7FAC83E9B40E6D1BD7647BEBF97BB8AFE2A6 68C48F83ADFF99A573281DDAB2F5B0DF095DF118
2022-07-18 2023-10-18 A236316AF1EA63A8F0668A587238741449ABC6D7491AE33291102DDCF0BB79FA 15BD9666FF17260B0F65831765A1919B6BEBF8BF
2021-10-12 2022-10-15 FD05FB98368742D5415D0D9ACD3EEF2123F6C8271E0429426351BC7FB27B3AF3 D181F9CB03B8499A5B243941B7F80C972D3ED5BC
2019-09-24 2020-09-29 841FD34A7A26AF8D6F14F996C0F56EAD70EBFE65BF7ECC9AF3CB26D394F6B95F CD2BD802254E45B37CB281229DF4DF5F7A0BD4B4
2018-02-10 2019-10-08 8263D3A7932B86087290A6F916E4E8BF773B29154285EFFC00A097F400006793 46FEDE9825EF9446A6DFD3E4776A2F332432A3F9

Verification

Validating .NET assemblies and Windows executables

To validate the signature of a file run the following command and compare the SignerCertificate with the SHA1 Thumbprint column in above table to ensure it is signed with a valid certificate.

Get-AuthenticodeSignature [-FilePath]

Validating nupkg author signatures

To validate the signature of a nupkg run the following command on Windows or Linux with a .NET SDK installed to validate the signature of a file. Compare the SHA256 hash under Signature Type: Author with the SHA256 Thumbprint column in above table to ensure it is signed with a valid certificate.

dotnet nuget verify [<package-path(s)>]

Pre-release Publisher Verification

Pre-release builds hosted on MyGet are signed with Azure Artifact Signing, which uses a short-lived certificate. You can verify that the certificate is issued to "CN=Barry Dorrans, O=Barry Dorrans, L=Bothell, S=Washington, C=US", with a root CA of "CN=Microsoft Identity Verification Root Certificate Authority 2020"

To view the full certificate chain in dotnet nuget verify use the -v detailed option;

dotnet nuget verify [<package-path(s)>] -v detailed

More Information