Allow end users to filter search for packages that have been signed

[Aaronontheweb]

Just a suggestion for NuGet package search - could you add an option to search only for packages that have been authenticode signed? Or maybe a sort option that allows signed packages to percolate up to the top?

[Aaronontheweb]

Clarification: I meant filter for authenticode signed packages; not necessarily all of the content contained inside the package. Only packages that have been explicitly signed themselves.

[skofman1]

@Aaronontheweb , can you please provide additional details on the scenario where this will be useful?

[Aaronontheweb]

I'm imagining scenarios where customers in some fields would want to stick with only packages that are signed, much like how many companies impose (rightly or wrongly, YMMV) require that all DLLs in their solution be strong-named.

Reason being that establishing provenance of all dependencies can make it easier for OSS to be included in more restricted environments or regulated markets, such as healthcare / finance. Up to you how useful it would be - no one has asked for it AFAIK, but perhaps that's also because the possibility didn't exist before NuGet added signing support to its UI and upload system.

[loic-sharma]

All packages hosted on NuGet.org will be signed. See: https://blog.nuget.org/20180810/Introducing-Repository-Signatures.html

Since all packages will be protected, do you think there’s still a need for this feature?

[scottbommarito]

@loic-sharma - I think @Aaronontheweb is referring to author-signed packages specifically.

[skofman1]

@Aaronontheweb thanks for opening the issue. We should definitely think about how to expose author signatures and make such packages discoverable.

Adding the twitter conversation for context: https://twitter.com/Aaronontheweb/status/1067576982844702721

[Aaronontheweb]

I think @Aaronontheweb is referring to author-signed packages specifically.

Correct