NuGet Warning NU3022

Scenario 1

Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp certificate has an unsupported signature algorithm.

Issue

The certificate used to timestamp the package signature has an unsupported signature algorithm.

Solution

Please ensure that the timestamp authority's signing certificate has one of the following signature algorithms -

  • sha256WithRSAEncryption
  • sha384WithRSAEncryption
  • sha512WithRSAEncryption

Scenario 2

Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp certificate has an unsupported signature algorithm (SHA1). The following algorithms are supported: SHA256RSA, SHA384RSA, SHA512RSA.

Issue

The certificate used to timestamp the package signature has an unsupported signature algorithm.

Solution

Please request the package author to re-sign the package using the nuget sign command as described in NuGet docs using the -Timestamper option such that the timestamp authority signing certificate has one of the following signature algorithms -

  • sha256WithRSAEncryption
  • sha384WithRSAEncryption
  • sha512WithRSAEncryption

Note

When running the nuget verify -signatures command, NU3022 is raised as an error. Otherwise, NU3022 is raised as a warning.