Any package published to nuget.org will automatically be signed with a Repository signature, and the library author (like Active Login) can add an extra level of signature by signing it with the Author signature (using a code signing certificate) before publishing the package.
Since (I think) v1 of Active Login we have been doing this. But it turns out that this takes quite a lot of overhead from our side, time we rather would spend doing work in the project. Fixing bugs and adding features. Since last year things around the handling of the code signing certificate have changed making it more secure, but more time consuming in our end.
We have decided to remove the Author signature of the packages for Active Login starting from our next release. The Repository signature added by nuget.org will still be the.
Our quick look at the top packages on nuget.org indicates that many third party packages only uses Repository signature.
We have checked with a few clients and this isn't an issue or them. If it would be so for you, let us know and we are up for you supporting this "feature".
NuGet packages can be signed (https://learn.microsoft.com/en-us/nuget/create-packages/sign-a-package, https://learn.microsoft.com/en-us/nuget/reference/signed-packages-reference) with either type Author or type Repository, or both.
Any package published to nuget.org will automatically be signed with a Repository signature, and the library author (like Active Login) can add an extra level of signature by signing it with the Author signature (using a code signing certificate) before publishing the package.
Since (I think) v1 of Active Login we have been doing this. But it turns out that this takes quite a lot of overhead from our side, time we rather would spend doing work in the project. Fixing bugs and adding features. Since last year things around the handling of the code signing certificate have changed making it more secure, but more time consuming in our end.
We have decided to remove the Author signature of the packages for Active Login starting from our next release. The Repository signature added by nuget.org will still be the.
Our quick look at the top packages on nuget.org indicates that many third party packages only uses Repository signature.
We have checked with a few clients and this isn't an issue or them. If it would be so for you, let us know and we are up for you supporting this "feature".