NuGet Warning NU3043
Invalid value for
--certificate-fingerprint
option in thedotnet nuget sign
command or theCertificateFingerprint
option in theNuGet.exe sign
command. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).
This warning will be promoted to an error around the .NET 10 timeframe.
Issue
Starting with .NET 9 and NuGet.exe 6.12, NU3043 warning is raised when a SHA-1 certificate fingerprint is passed to the sign commands. SHA-1 is considered insecure and should no longer be used.
Solution
To resolve this warning, ensure that you provide a valid SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal) for the --certificate-fingerprint
option in the dotnet nuget sign
command or the CertificateFingerprint
option in the NuGet.exe sign
command.
Customers can use the following PowerShell script to compute SHA-2 family hashes for certificates. To use the script, customers need to save the certificate to a local folder.
$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certPath)
$stream = [System.IO.MemoryStream]::new($certificate.RawData)
Try
{
(Get-FileHash -Algorithm SHA256 $stream).Hash
}
Finally
{
$stream.Dispose()
$certificate.Dispose()
}