SSL.com

Code Signing Nuget Packages with eSigner

A NuGet package is a standardized format for distributing software libraries, tools, and assets in the .NET ecosystem. It allows developers to easily share and consume code across different projects and platforms.
 
NuGet is a package manager for the .NET development framework, primarily used with Microsoft’s Visual Studio and .NET Core. It simplifies the process of managing external dependencies in a project by providing a centralized repository of packages that can be easily installed and updated.
 
Developers can use NuGet to search for packages from the official NuGet Gallery or other custom package sources. Once a package is identified, it can be installed into a project, which automatically resolves and downloads any required dependencies.
 
By utilizing NuGet packages, developers can save time by leveraging existing code and functionality, instead of reinventing the wheel for common tasks. It promotes code reuse, modular development, and simplifies the management of external libraries and dependencies in .NET projects.
 

SSL.com’s EV Code Signing Certificates are trusted worldwide to digitally sign software code with secure digital signatures. 

BUY YOUR SSL.COM EV CODE SIGNING CERTIFICATE

 

Order a Code Signing Certificate

Production Certificate

For instructions on how to order a production code signing certificate, please refer to the guide article: Ordering Process for Code and Document Signing Certificates.

Test Certificate

For users who want to try code signing using a test certificate, the SSL.com sandbox environment offers a place where they can freely experiment. Follow the steps below to order an SSL.com test certificate.

  1. Login to your sandbox account at https://sandbox.ssl.com/login. If there is no sandbox account yet, a new one can be created at https://sandbox.ssl.com/users/new.
  2. Once logged in to the sandbox account, click the Dashboard tab.
  3. Scroll down to the developers and integration section and click the developer tools link.
  4. Select the test EV certificate you want to order. Specify the validity duration of the certificate. Finally, click the Create Test Order button.
  5. Contact SSL.com  support team (support@ssl.com) for the test code signing certificate to be validated.

Enroll your Certificate in eSigner Cloud Code Signing

Once your certificate has been validated, you can now enroll it in eSigner. There are two methods on how to do this:

  1. QR code method: https://www.ssl.com/how-to/enroll-esigner-remote-document-ev-code-signing/
  2. OTP SMS method: https://www.ssl.com/guide/how-to-enable-otp-sms-two-factor-authentication-for-esigner-cloud-code-or-document-signing/

Sign your NuGet Package with eSigner Cloud Key Adapter (CKA)

eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the Cryptography API: Next Generation interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner Cloud Signature Consortium (CSC)-compliant API for enterprise code signing operations. It acts like a virtual USB token and loads the code signing certs to the certificate store.

  1. Refer to this article to know how to install eSigner CKA on your computer.
  2. Login to eSigner CKA with your SSL.com account credentials.
  3. Use the sign command below to sign your NuGet file on Windows SignTool

    dotnet nuget sign "D:\Data\unsigned.nupkg" --timestamper http://ts.ssl.com/legacy --certificate-fingerprint YOUR CERTIFICATE THUMBPRINT --certificate-store-location CurrentUser --certificate-store-name My

Sign your NuGet Package with eSigner CodeSignTool

SSL.com’s eSigner  CodeSignTool is a secure, privacy-oriented multi-platform Java command line utility for remotely signing Microsoft Authenticode and Java code objects with eSigner-enrolled code signing certificates. It is able to sign Nuget packages efficiently and in a user-friendly manner.

Refer to the article eSigner CodeSignTool Command Guide to download the application and gain an overview of all the available commands.

  1. To be able to sign Nuget files using CodeSignTool, first you have to add the timestamp legacy endpoint in the Properties Source File of CodeSignTool. Open CodeSignTool folder > Open conf subfolder > Open code_sign_tool Properties Source File. Add the legacy endpoint: TSA_LEGACY_URL=http://ts.ssl.com/legacy

    If you are using a test certificate, you also need to replace the contents of conf/code_sign_tool.properties with the following text:
    CLIENT_ID=qOUeZCCzSqgA93acB3LYq6lBNjgZdiOxQc-KayC3UMw 
    OAUTH2_ENDPOINT=https://oauth-sandbox.ssl.com/oauth2/token 
    CSC_API_ENDPOINT=https://cs-try.ssl.com 
    TSA_URL=http://ts.ssl.com
  2. Open your command-line tool and change the directory to point to the installation folder of CodeSignTool by using the cd command. Example: C:\Users\Admin>cd C:\Users\Admin\My PC\Desktop\CodeSignTool
  3. Use this command to sign your Nuget File:
    CodeSignTool sign -username=USERNAME -password=PASSWORD -credential_id=CREDENTIAL ID -input_file_path=INPUT FILE PATH -output_dir_path=OUTPUT DIRECTORY PATH
  4. After entering the sign command, your Command Line Tool will prompt you for the One Time Password (OTP) linked to the tool you used to enroll your certificate in eSigner: either a QR code app or SMS/mobile phone: Enter the OTP - Press enter to continue: 
  5. Code Signed Successfully! You will be notified that your Nuget file has been successfully signed. Example:
    Code signed successfully: C:\Users\Admin\\My PC\Desktop\Signed Nuget Files\sample.nupkg

Required Parameters

Troubleshooting Signing Errors

  1. If your password includes special characters, enclose it in quotes (e.g. -password=”P!@^^ssword12″).
  2. If you encounter signing errors like:
    • 'C:\Users\Admin\Dropbox\My' is not recognized as an internal or external command, operable program or batch file.
    • The system cannot find the path specified.
    • WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
    • \Documents\sample was unexpected at this time.

Try the following:

SSL.com’s EV Code Signing Certificates are trusted worldwide to digitally sign software code with secure digital signatures. 

BUY YOUR SSL.COM EV CODE SIGNING CERTIFICATE

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.
Exit mobile version