NuGet Package Signing

Overview

QCecuring integrates with NuGet package signing workflows to ensure .NET packages are signed with governed code signing certificates before publication. Teams maintain trust in their package supply chain while QCecuring handles certificate lifecycle and access control.

Key capabilities

• Automated NuGet package signing using QCecuring-managed code signing certificates.
• Support for both author signing and repository signing of NuGet packages.
• Certificate lifecycle management for NuGet signing certificates including renewal and rotation.
• Policy enforcement ensuring only authorized packages are signed before publication.
• Audit trail linking signed packages to specific certificates, signers, and build pipelines.

Typical use cases

• .NET development teams publishing signed packages to NuGet.org or private feeds.
• Organizations requiring package integrity verification in their .NET supply chain.
• Enterprise teams managing internal NuGet feeds with mandatory package signing policies.

High-level integration flow

1. Provision or import NuGet-compatible code signing certificates into QCecuring.
2. Configure signing policies specifying which projects and pipelines can sign packages.
3. Build pipelines submit NuGet packages to QCecuring for signing during the publish stage.
4. QCecuring signs packages with the appropriate certificate and returns signed .nupkg files.
5. Signed packages are published to feeds, with all signing operations recorded in the audit trail.