NuGet

NuGet is a Command Line Interface (CLI) that provides functionality to install, create, publish, and manage packages without making any changes to project files.

Sign with NuGet

Use NuGet to sign .nupkg files.

Download NuGet

  1. Download nuget.exe from NuGet Gallery | Downloads.
  2. Move nuget.exe to your preferred file path.

Set PATH environment variable (Optional)

Operating systems use the environment variable PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

You can set the PATH environment variable to the folder that contains nuget.exe using the command line or environment variables.

To set the path to your signing tools via command line:

set PATH=%path%;<path to signing tool folder>
Command sample:
set PATH=%path%,C:\Program Files (x86)\
To set the path to your signing tools for your system or account:
  1. Search for environment variables in the Windows start menu.
  2. Select Edit environment variables for your account or system environment variables.
  3. Double-click on the Path variable.
  4. Click New
  5. Select Browse.
  6. Select the path to the signing tool. Example: C:\Program Files (x86)\Nuget
  7. To save the path, click OK.
  8. To close the dialog box, click OK.

Sign Windows packages with NuGet using AppViewX CSP

NuGet is a package manager for .NET development that allows you to publish, share, and consume reusable code packages. NuGet is used to sign packages to provide an additional layer of trust and security when distributing software libraries and components. Most importantly, NuGet maintains a reference list of packages used in a project and the ability to restore and update those packages from that list.

Prerequisites:
  1. Run the AppViewX SIGN+ Installer to install the prerequisites to use the AppViewX CSP.
  2. Installed nuget.exe
Install sample NuGet package
This creates a directory with the name HelloWorld. 
nuget install HelloWorld
By default, all packages installed from the NuGet package manager are signed by the repository. You can verify the package.
Verify a Nuget Package
nuget verify -All HelloWorld.1.3.0.17\*
Sign a Nuget Package
To sign using a certificate fingerprint: 
nuget sign <package folder> -Timestamper http://timestamp.digicert.com -outputdirectory <output folder> -Certificate Fingerprint <SHA1 Thumbprint> -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
The timestamping URL, certificate fingerprint and Hashing Algorithm are auto generated in the README after running the SIGN+ Installer.
Command sample:
nuget sign HelloWorld.1.3.0.17\* -Timestamper http://timestamp.digicert.com -outputdirectory ..\am-HelloWorld.1.3.0.17 -CertificateFingerprint 4610fdca3ed589qde10235ce687ea1g02043e439 -HashAlgorithm SHA256 -Verbosity detailed -Overwrite