goblinfactory
Signing NuGet packages
We are interested in using konsole in another open-source project but have a hard requirement that the NuGet packages we publish are signed. It is possible to sign these as 3rd party packages, but I thought I would reach out to see if you have considered publishing a signed version?
Hi @davidhcoe ; sounds great; please dm me some info on your project and I'll look at my work commitments and see what's involved in publishing a signed version.
Hi @davidhcoe
Unfortunately it looks like this might be a non trivial request. While it might be a reasonable effort to do for the commercial version of Konsole I might one day bring out, I can't justify the time and costs for an open source project.
Not sure how accurate ChatGPT's assessment of effort is (see below); but if it's even only partially right, it's unfortunately not something I can commit any serious time to. I naively thought it could be a simple case of some kind public/private key configuration and uploading something to a private area in nuget. But ..sadly, it seems it's not that simple. Go figure!
It would be lovely to have Konsole used in a significant open source project. here's the estimate from ChatGPT, which suggests it's a no go, sorry!
wish you all the best with your project. regards,
Alan
p.s. I have no intention to "apply" for something (see ChatGPT suggest at the bottom) that I believe should be free to start with!
Summary of Effort, Time, and Cost for Signing a NuGet Package
Initial Effort & Time Estimate
| Task | Effort | Time |
|---|---|---|
| Researching and obtaining a code-signing certificate | 1–2 hours | Up to 1 week (if using a CA) |
| Setting up assembly signing (SNK file) | 30 min | Immediate |
| Setting up NuGet package signing | 1–2 hours | Immediate (after certificate is ready) |
| Automating signing in CI/CD (GitHub Actions/Azure DevOps) | 2–4 hours | 1 day |
| Testing and verifying signatures | 1–2 hours | Immediate |
Total initial effort: ~1 day (excluding waiting time for certificate approval).
Ongoing Effort
- Each release: Signing the package adds minimal effort (~5-10 minutes).
- Certificate renewal: If using a CA-issued certificate, renewal is required annually (a few hours of effort).
- CI/CD maintenance: If automated, no extra effort unless something breaks.
Cost Estimate
| Option | Cost | Notes |
|---|---|---|
| Paid CA-issued Code Signing Certificate | $100–$500/year | Required for NuGet.org. Providers include DigiCert, GlobalSign, Sectigo. |
| Microsoft CA (for open-source projects) | Free | Requires approval via MS Defending Democracy Program. |
| Self-Signed Certificate | Free | Only useful for internal/private use; not trusted by NuGet.org. |
NuGet.org requires an Authenticode certificate from a trusted CA, meaning a paid certificate is necessary unless Microsoft approves you for their free signing program.
Can This Be Done for Free?
- For internal use: Yes, with a self-signed certificate.
- For NuGet.org: No, because NuGet.org enforces certificate trust requirements.
- Workaround: If the open-source project is high-profile and non-commercial, you could apply for Microsoft’s free code-signing certificate.
Conclusion
If using a paid certificate, expect an initial effort of ~1 day and $100–$500 per year in costs. If Microsoft approves the project, signing could be done for free, but that’s not guaranteed.
For the avoidance of doubt (for anyone quickly reading only the bottom of the above message), I have no intention of applying for sponsorship for something that should be free! (signing certificates etc) @davidhcoe this comment wasn't aimed at you, rather an future readers coming here and starting to read from the bottom.
Naive me thought (while reading your request) that I could simply publish and sign a new package in 10 or 15 minutes and be done; I've obviously been working with Cloudflare tech for way too long now, where everything is properly secure by default and ..oh my gosh, soo much simpler.
Hmm, definitely not a small ask. Let me research some potential options and get back to you.
@davidhcoe It really SHOULD be a small ask, in fact when i saw your message I didnt think it was. Sigh! #openSourceIsDead