NuGet Warning NU3043

Invalid value for --certificate-fingerprint option in the dotnet nuget sign command or the CertificateFingerprint option in the NuGet.exe sign command. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).

This warning will be promoted to an error around the .NET 10 timeframe.

Issue

Starting with .NET 9 and NuGet.exe 6.12, NU3043 warning is raised when a SHA-1 certificate fingerprint is passed to the sign commands. SHA-1 is considered insecure and should no longer be used.

Solution

To resolve this warning, ensure that you provide a valid SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal) for the --certificate-fingerprint option in the dotnet nuget sign command or the CertificateFingerprint option in the NuGet.exe sign command.

Customers can use the following PowerShell script to compute SHA-2 family hashes for certificates. To use the script, customers need to save the certificate to a local folder.

$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certPath)
$stream = [System.IO.MemoryStream]::new($certificate.RawData)

Try
{
    (Get-FileHash -Algorithm SHA256 $stream).Hash
}
Finally
{
    $stream.Dispose()
    $certificate.Dispose()
}