From ccd1e1048ca4fd10494bfed49e4ea28f86843539 Mon Sep 17 00:00:00 2001 From: edoardo-kolver <88052315+edoardo-kolver@users.noreply.github.com> Date: Thu, 4 Apr 2024 15:42:20 -0700 Subject: [PATCH 1/3] clarified instructions for certificates stored in hardware The documentation says to export the certificate, but this introduces errors when the certificate is stored in a hardware token. You just need to specify the certificate fingerprint, no need to export. See issue https://github.com/dotnet/runtime/issues/100414 --- docs/create-packages/Sign-a-Package.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/create-packages/Sign-a-Package.md b/docs/create-packages/Sign-a-Package.md index fffc365a1..981527989 100644 --- a/docs/create-packages/Sign-a-Package.md +++ b/docs/create-packages/Sign-a-Package.md @@ -28,6 +28,8 @@ You can use self-issued certificates for testing purposes. However, packages sig ## Export the certificate file +* If your certificate is stored in a hardware token, you don't need to export the certificate. Instead, specify the SHA-1 certificate fingerprint (thumbprint) by using the option `--certificate-fingerprint ` (replacing `--certificate-path `) + * You can export an existing certificate to a binary DER format by using the Certificate Export Wizard. ![Certificate Export Wizard](../reference/media/CertificateExportWizard.png) From 9619cecd61a456b5fa599d5b6947933b2ececde6 Mon Sep 17 00:00:00 2001 From: edoardo-kolver <88052315+edoardo-kolver@users.noreply.github.com> Date: Fri, 5 Apr 2024 18:50:22 -0700 Subject: [PATCH 2/3] Update docs/create-packages/Sign-a-Package.md better phrasing Co-authored-by: Theodore Tsirpanis --- docs/create-packages/Sign-a-Package.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/create-packages/Sign-a-Package.md b/docs/create-packages/Sign-a-Package.md index 981527989..02dc78135 100644 --- a/docs/create-packages/Sign-a-Package.md +++ b/docs/create-packages/Sign-a-Package.md @@ -28,7 +28,7 @@ You can use self-issued certificates for testing purposes. However, packages sig ## Export the certificate file -* If your certificate is stored in a hardware token, you don't need to export the certificate. Instead, specify the SHA-1 certificate fingerprint (thumbprint) by using the option `--certificate-fingerprint ` (replacing `--certificate-path `) +* If your certificate is stored in a hardware token, you should not export the certificate. Instead, specify the SHA-1 certificate fingerprint (thumbprint) by using the option `--certificate-fingerprint ` (replacing `--certificate-path `) * You can export an existing certificate to a binary DER format by using the Certificate Export Wizard. From 027ee1ddfd2484f2f7f07ba8c41a78b79337bc29 Mon Sep 17 00:00:00 2001 From: edoardo-kolver <88052315+edoardo-kolver@users.noreply.github.com> Date: Wed, 12 Nov 2025 16:37:53 -0800 Subject: [PATCH 3/3] Update docs/create-packages/Sign-a-Package.md Starting with .NET 9 and NuGet.exe 6.12, NU3043 warning is raised when a SHA-1 certificate fingerprint is passed to the sign commands. SHA-1 is considered insecure and should no longer be used. This warning is promoted to an error in the .NET 10 SDK, and will be promoted to an error in NuGet.exe around .NET 10's release. Co-authored-by: Kartheek Penagamuri <52756182+kartheekp-ms@users.noreply.github.com> --- docs/create-packages/Sign-a-Package.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/create-packages/Sign-a-Package.md b/docs/create-packages/Sign-a-Package.md index 02dc78135..e50f8d0bb 100644 --- a/docs/create-packages/Sign-a-Package.md +++ b/docs/create-packages/Sign-a-Package.md @@ -28,7 +28,7 @@ You can use self-issued certificates for testing purposes. However, packages sig ## Export the certificate file -* If your certificate is stored in a hardware token, you should not export the certificate. Instead, specify the SHA-1 certificate fingerprint (thumbprint) by using the option `--certificate-fingerprint ` (replacing `--certificate-path `) +* If your certificate is stored in a hardware token, you should not export the certificate. Instead, specify the SHA-2 family certificate fingerprints (thumbprint) by using the option `--certificate-fingerprint ` (replacing `--certificate-path `) * You can export an existing certificate to a binary DER format by using the Certificate Export Wizard.