Nuget.org also has an excellect post on the topic.
- Make our own libraries more accessible to others. Previously we provided instructions on cloning the repo and bringing it into an existing project- using nuget would be easier.
- Simplify our codebase. Our main .sln has 55 projects; perhaps 10 of which are third party libs that we made minor changes to but otherwise rarely touch.
We want all our packages to be owned by the Subor organization so everything won’t be tied to a single person.
Certificate Creation and Registration
Assuming you have a PKCS #12 file (with a .pfx extension) for signing, you need to export a .cer to register with nuget.org. On Windows, double-clicking the pfx should launch the Certificate Import Wizard, or you can run
certmgr.exe and click Import….
Then click through to create the .cer. Now, go to the organization’s settings page on nuget.org and pick Certificates->Register new. Select the .cer you just created.
Nuget.org API Key
For Package Owner pick the organization. Uploaded packages will belong to the organization rather than your individual account.
For Select Scopes I’ve got Push only new package versions because I’m planning to use this on our build machine and it really has no reason to create new packages.
Subor.NNanomsg.NETStandard.0.5.2.nupkg from the other day and our private key (the pfx). To sign the package:
nuget.exe sign Subor.NNanomsg.NETStandard.0.5.2.nupkg -Timestamper http://sha256timestamp.ws.symantec.com/sha256/timestamp -CertificatePath path_to_private_key.pfx
Output should be similar to:
Please provide password for: path_to_private_key.pfx Password: ******************************** Signing package(s) with certificate: Subject Name: CN=???????????????????, O=???????????????????, L=??, C=CN SHA1 hash: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SHA256 hash: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB Issued by: CN=DDDDDDDDDDDDDDD SHA256 Code Signing CA, OU=EEEEEEEEEEEEEEEEE, O=FFFFFFFFFFFFFFFFFF, C=US Valid from: 12/34/56 00:00:00 to 12/34/56 00:00:00 Timestamping package(s) with: http://sha256timestamp.ws.symantec.com/sha256/timestamp Package(s) signed successfully.
After signing the size of the nupkg file should increase slightly (in this case 10KB).
If you get output that ends with
Key does not exist., make sure the .pfx (the private key) follows
-CertificatePath and not the .cer (public key).
You can verify the package with:
nuget.exe verify Subor.NNanomsg.NETStandard.0.5.2.nupkg -All
And there should be a bunch of similar output that ends with
Successfully verified package 'Subor.NNanomsg.NETStandard.0.5.2'..
The first time I uploaded the package I used nuget.org’s web interface: profile ->Manage Packages->+Add new.
Thereafter I can use the “update package versions”-only API key I created to push updates:
nuget.exe push Subor.NNanomsg.NETStandard.0.5.2.nupkg -Source "https://www.nuget.org" -ApiKey abcdef01234567890abcdef01234567890
If everything is working:
Pushing Subor.NNanomsg.NETStandard.0.5.2.nupkg to the NuGet gallery (https://www.nuget.org)... PUT https://www.nuget.org/api/v2/package/ Created https://www.nuget.org/api/v2/package/ 3158ms Your package was pushed.
The package is validated before becoming available via nuget.org. This seems to take around 5 minutes for a small package like this, although I’d imagine it might take longer for large packages or during peak usage. You can keep an eye on its status via the package’s page: https://www.nuget.org/packages/Subor.NNanomsg.NETStandard/0.5.2.
The Circle is Now Complete
Back in Visual Studio, you can now:
- Right-click a project ->Manage NuGet Packages…->Browse.
Install it and build the project (don’t forget to set Platform target!).
Browse to the output folder and
nanomsg.dllshould be there.