Skip to content

Document .NET 10 breaking change: SHA-1 fingerprint deprecation in dotnet nuget sign #47922

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 12, 2025
Merged

Document .NET 10 breaking change: SHA-1 fingerprint deprecation in dotnet nuget sign #47922

merged 4 commits into from
Aug 12, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 11, 2025
edited by github-actions bot
Loading

This PR documents the breaking change in .NET 10 where SHA-1 fingerprint support in the dotnet nuget sign command is deprecated. Starting with .NET 10 Preview 1, the NU3043 warning that was introduced in .NET 9 for SHA-1 certificate fingerprints is now promoted to an error, effectively blocking the use of SHA-1 for signing operations.

Changes Made

New Breaking Change Documentation: Added comprehensive documentation at /docs/core/compatibility/sdk/10.0/dotnet-nuget-sign-sha1-deprecated.md that includes:

  • Clear explanation of the behavioral change from warning to error
  • Security rationale for the change (SHA-1 is cryptographically weak)
  • Recommended migration path to SHA-2 family fingerprints (SHA-256, SHA-384, SHA-512)
  • PowerShell examples for generating SHA-256 fingerprints

Updated Main Index: Added the new breaking change to the SDK section table in /docs/core/compatibility/10.0.md to ensure discoverability.

Enhanced Command Documentation: Updated /docs/core/tools/dotnet-nuget-sign.md to:

  • Document the .NET 10 behavior change where NU3043 becomes an error
  • Replace SHA-1 examples with SHA-256 fingerprint examples
  • Clarify that only SHA-2 family fingerprints are supported in .NET 10+

This change aligns with the security improvements mentioned in the NuGet documentation and helps developers understand the migration path from insecure SHA-1 to secure SHA-2 family algorithms.

All documentation follows Microsoft Writing Style Guide conventions and passes markdownlint validation.

Fixes #47449.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Internal previews

📄 File 🔗 Preview link
docs/core/compatibility/10.0.md Breaking changes in .NET 10
docs/core/compatibility/sdk/10.0/dotnet-nuget-sign-sha1-deprecated.md SHA-1 fingerprint support deprecated in dotnet nuget sign
docs/core/compatibility/toc.yml docs/core/compatibility/toc
docs/core/tools/dotnet-nuget-sign.md dotnet nuget sign

@Copilot Copilot AI changed the title [WIP] [Breaking change]: Deprecate SHA-1 Support in dotnet nuget sign command (NU3043 → Error) Document .NET 10 breaking change: SHA-1 fingerprint deprecation in dotnet nuget sign Aug 11, 2025
@Copilot Copilot AI requested a review from gewarren August 11, 2025 22:36
Copilot finished work on behalf of gewarren August 11, 2025 22:36
@gewarren gewarren marked this pull request as ready for review August 12, 2025 02:19
@gewarren gewarren requested review from tdykstra and a team as code owners August 12, 2025 02:19
@gewarren gewarren requested a review from kartheekp-ms August 12, 2025 02:20
BillWagner
BillWagner approved these changes Aug 12, 2025
View reviewed changes
Copy link
Member

@BillWagner BillWagner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. Let's :shipit:

@gewarren gewarren merged commit 43a44f9 into main Aug 12, 2025
10 checks passed
@gewarren gewarren deleted the copilot/fix-47449 branch August 12, 2025 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BillWagner BillWagner BillWagner approved these changes

@tdykstra tdykstra Awaiting requested review from tdykstra tdykstra is a code owner

@kartheekp-ms kartheekp-ms Awaiting requested review from kartheekp-ms

+1 more reviewer

@gewarren gewarren gewarren approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@gewarren gewarren

Copilot code review Copilot

Labels
dotnet-cli/subsvc dotnet-fundamentals/svc
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Breaking change]: Deprecate SHA-1 Support in dotnet nuget sign command (NU3043 → Error)
3 participants
@Copilot @BillWagner @gewarren