Description
I was asked to follow the breaking change process, but this change only changes unstructured text output.
dotnet nuget verify will start outputting CRL and OSCP URLs for certificates used to sign nuget packages. These URLs are accessed when the package is used in a restore and the package does not already exist in NuGet's global packages directory.
It's being added to the .NET 10.0.400 SDK
Version
.NET 10
Previous behavior
I'll show a diff in the new behavior section below
New behavior
More information is available in the pull request implementing the change:
Here's the normal verbosity diff:
X.509 certificate chain validation will use the default trust store selected by .NET for code signing.
X.509 certificate chain validation will use the default trust store selected by .NET for timestamping.
Verifying NuGet.Versioning.7.0.0
Content hash: vMEhpystjAmHzWARE09PjYMWOiGgM+f9rJYMcXGs8soz9/url4qmU9O9Y+hy22kPuqozCMoGcJt0JzKRZ1woZg==
C:\Users\zivkan\.nuget\packages\nuget.versioning\7.0.0\nuget.versioning.7.0.0.nupkg
Signature Hash Algorithm: SHA256
Signature type: Author
Verifying the author primary signature with certificate:
Subject Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
SHA1 hash: F25C45D17C53D4E0D1DC9FB9DFD0731FCF904B77
SHA256 hash: 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353
Issued by: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Valid from: 2023-07-27 9:30:00 AM to 2026-10-18 10:29:59 AM
+ CRL URL: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
+ CRL URL: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
+ OCSP URL: http://ocsp.digicert.com
Timestamp: 2025-10-11 9:13:23 AM
Verifying author primary signature's timestamp with timestamping service certificate:
Subject Name: CN=DigiCert SHA256 RSA4096 Timestamp Responder 2025 1, O="DigiCert, Inc.", C=US
SHA1 hash: DD6230AC860A2D306BDA38B16879523007FB417E
SHA256 hash: 4AA03FA22CD75C84C55C938F828E676B9CAECAB33FE36D269AA334F146110A33
Issued by: CN=DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1, O="DigiCert, Inc.", C=US
Valid from: 2025-06-04 9:30:00 AM to 2036-09-04 9:29:59 AM
+ CRL URL: http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl
+ OCSP URL: http://ocsp.digicert.com
Signature type: Repository
Service index: https://api.nuget.org/v3/index.json
Owners: Microsoft, nuget
Verifying the repository countersignature with certificate:
Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
SHA1 hash: C72FE7739A9EECB8EC1E4F596DB3BB74039B1DE2
SHA256 hash: 1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D
Issued by: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Valid from: 2024-02-23 10:30:00 AM to 2027-05-19 9:29:59 AM
+ CRL URL: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
+ CRL URL: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
+ OCSP URL: http://ocsp.digicert.com
Timestamp: 2025-11-12 8:22:32 AM
Verifying repository countersignature's timestamp with timestamping service certificate:
Subject Name: CN=DigiCert SHA256 RSA4096 Timestamp Responder 2025 1, O="DigiCert, Inc.", C=US
SHA1 hash: DD6230AC860A2D306BDA38B16879523007FB417E
SHA256 hash: 4AA03FA22CD75C84C55C938F828E676B9CAECAB33FE36D269AA334F146110A33
Issued by: CN=DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1, O="DigiCert, Inc.", C=US
Valid from: 2025-06-04 9:30:00 AM to 2036-09-04 9:29:59 AM
+ CRL URL: http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl
+ OCSP URL: http://ocsp.digicert.com
Successfully verified package 'NuGet.Versioning.7.0.0'.
Type of breaking change
Reason for change
Some customers have asked NuGet:
- for a full list of URLs or hosts that NuGet will access during a restore
- why NuGet is making http, rather than https, requests
This command enables customers to more easily obtain the information.
Recommended action
If customers are using dotnet nuget verify in automation, they will need to update their regex, or whatever other parsing they use, to either ignore or handle these new fields. In particular, the key-value pairs for certificate properties for each certificate no longer have a unique key, as can be seen in the example above where two of the four certificates have two "CRL URL" properties
Feature area
SDK
Affected APIs
No response
Associated WorkItem - 574432
Description
I was asked to follow the breaking change process, but this change only changes unstructured text output.
dotnet nuget verifywill start outputting CRL and OSCP URLs for certificates used to sign nuget packages. These URLs are accessed when the package is used in a restore and the package does not already exist in NuGet's global packages directory.It's being added to the .NET 10.0.400 SDK
Version
.NET 10
Previous behavior
I'll show a diff in the new behavior section below
New behavior
More information is available in the pull request implementing the change:
Here's the normal verbosity diff:
Type of breaking change
Reason for change
Some customers have asked NuGet:
This command enables customers to more easily obtain the information.
Recommended action
If customers are using
dotnet nuget verifyin automation, they will need to update their regex, or whatever other parsing they use, to either ignore or handle these new fields. In particular, the key-value pairs for certificate properties for each certificate no longer have a unique key, as can be seen in the example above where two of the four certificates have two "CRL URL" propertiesFeature area
SDK
Affected APIs
No response
Associated WorkItem - 574432