Cloudsmith now supports natively signing all NuGet packages using an X.509 certificate. This feature enables consumers to verify a package’s repository signatures in native tooling using the NuGet or .NET CLI, ensuring integrity and authenticity.
When NuGet native signing is enabled for a Cloudsmith repository:
A unique X.509 certificate is issued for that repository.
A repository signature is generated when a NuGet package is uploaded or resynced, and the signing certificate is included in the NuGet repository signature index.
Consumers can verify a package’s repository signature locally using native tooling such as the NuGet or .NET CLI, confirming that the package originated from Cloudsmith.
For repositories with NuGet native signing and NuGet upstreams configured:
Cloudsmith indexes the upstream repository’s RepositorySignature endpoint from the NuGet service index.
Upstream signatures are also passed through for verification.
Signed packages enable integrity verification, mitigating risks of content tampering. The package’s repository signatures serve as proof of origin, providing consumers a reliable way to authenticate packages before use.
To get started with native signing for NuGet, please see Signing NuGet Packages for more information.