This tool adds code signatures to a NuGet package using an X509 certificate stored in Microsoft Azure Key Vault.
This tool is a .NET Core global tool. It can be installed with dotnet tool install --global NuGetKeyVaultSignTool. The tool requires the .NET Core 3.1 SDK on Windows and .NET 5.0 on other platforms.
Example:
# Install the tool
dotnet tool install --global NuGetKeyVaultSignTool
# Alternatively, install the tool locally
# dotnet tool install --tool-path . NuGetKeyVaultSignTool
# Produce a package
& dotnet pack src/MyLibrary/
# Execute code signing
& NuGetKeyVaultSignTool sign MyLibrary.1.0.0.nupkg `
--file-digest sha256 `
--timestamp-rfc3161 http://timestamp.digicert.com `
--timestamp-digest sha256 `
--azure-key-vault-url https://my-keyvault.vault.azure.net `
--azure-key-vault-client-id 1234566789 `
--azure-key-vault-tenant-id <the guid or domain> `
--azure-key-vault-client-secret abcxyz `
--azure-key-vault-certificate MyCodeSignCertThe tool has two subcommands, sign and verify.
signSigns a NuGet package using a certificate stored in Azure Key Vault.
Usage: NuGetKeyVaultSignTool.exe sign [options] <FILE_PATH>
FILE_PATH = the path to the .nupkg file produced by dotnet pack or nuget.exe pack.
Options:
-o | --output - The output file. If omitted, overwrites input.-f | --force - Overwrites a signature if it exists.-fd | --file-digest - The digest algorithm to hash the file with.-tr | --timestamp-rfc3161 - Specifies the RFC 3161 timestamp server's URL. If this option (or -t) is not specified, the signed file will not be timestamped.-td | --timestamp-digest - Used with the -tr switch to request a digest algorithm used by the RFC 3161 timestamp server.-st | --signature-type - The signature type (omit for author, default. Only author is supported currently).-kvu | --azure-key-vault-url - The URL to an Azure Key Vault.-kvt | --azure-key-vault-tenant-id - The Tenant Id to authenticate to the Azure Key Vault..-kvi | --azure-key-vault-client-id - The Client ID to authenticate to the Azure Key Vault.-kvs | --azure-key-vault-client-secret - The Client Secret to authenticate to the Azure Key Vault.-kvc | --azure-key-vault-certificate - The name of the certificate in Azure Key Vault.-kva | --azure-key-vault-accesstoken - The Access Token to authenticate to the Azure Key Vault.-kvm | --azure-key-vault-managed-identity - Use a Managed Identity to access Azure Key Vault.Note For the authentication options to Azure Key Vault, either one of the following options are required:
azure-key-vault-client-id and azure-key-vault-client-secret and azure-key-vault-tenant-id or azure-key-vault-accesstoken or azure-key-vault-managed-identity.
verifyVerifies that a NuGet package has been code-signed.
Usage: NuGetKeyVaultSignTool verify [options] <FILE_PATH>
FILE_PATH = the path to the .nupkg file produced by dotnet pack or nuget.exe pack.