Library and web project that can sign NuGet packages, for example triggered by MyGet Webhooks. Read my blog post for more information.
The project makes use of the excellent work by Werner van Deventer described in his blog post ".NET Assembly Strong-Name Signer".
NuGet: https://www.nuget.org/packages/Signature.Core
The Signature.Core comes with a class (PackageSigner) that can sign a NuGet package. Here's an example:
PackageSigner signer = new PackageSigner();
signer.SignPackage("MyPackage.1.0.0.nupkg", "MyPackage.Signed.1.0.0.nupkg", "SampleKey.pfx", "password", "MyPackage.Signed");
Note: While the PackageSigner does not require a PFX file to be specified, it is recommended to use one. NuGet will get very confused for packages with the same id but different versions if the signature uses a different key.
A nice use case for this repository is automatically signing unsigned NuGet packages that are pushed to a MyGet feed.
First of all, deploy NuGet Signature to a web server, for example Microsoft Azure Websites. Then, configure the application using the management dashboard. The following settings must be provided:
Signature:KeyFile- path to the PFX file to use when signingSignature:KeyFilePassword- private key/password for using the PFX fileSignature:PackageIdSuffix- suffix for signed package id's. Can be empty or something like.SignedSignature:NuGetFeedUrl- NuGet feed to push signed packages toSignature:NuGetFeedApiKey- API key for pushing packages to the above feed
The configuration in the Microsoft Azure Management Dashboard could look like the following:
For the MyGet feed you wish to sign packages, configure a new HTTP Post webhook. The following options must be configured:
- URL to POST JSON data to - URL to the deployed NuGet Signature API, for example
http://signpackage.azurewebsites.net/api/sign(do not forget the/api/sign) - Content type - set to
application/json - Events that trigger this web hook - make sure that only
Package Addedis selected
From now on, all packages that are added to your feed will be signed when the webhook is triggered. To sign existing packages, you'll have to use the library itself.