| title | NuGet Warning NU3043 | |
|---|---|---|
| description | NU3043 warning code | |
| author | kartheekp-ms | |
| ms.date | 09/11/2024 | |
| ms.topic | reference | |
| f1_keywords |
|
Invalid value for
--certificate-fingerprintoption in thedotnet nuget signcommand or theCertificateFingerprintoption in theNuGet.exe signcommand. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).
This warning is promoted to an error in the .NET 10 SDK, and will be promoted to an error in NuGet.exe around .NET 10's release.
Starting with .NET 9 and NuGet.exe 6.12, NU3043 warning is raised when a SHA-1 certificate fingerprint is passed to the sign commands. SHA-1 is considered insecure and should no longer be used.
To resolve this warning, ensure that you provide a valid SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal) for the --certificate-fingerprint option in the dotnet nuget sign command or the CertificateFingerprint option in the NuGet.exe sign command.
You can use the following scripts to compute SHA-2 family hashes for certificates.
To use the script, you need to save the certificate to a local folder.
$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certPath)
$stream = [System.IO.MemoryStream]::new($certificate.RawData)
Try
{
(Get-FileHash -Algorithm SHA256 $stream).Hash
}
Finally
{
$stream.Dispose()
$certificate.Dispose()
}If the certificate is in PEM or CRT format:
openssl x509 -in path/to/certificate -outform der | sha256sumIf the certificate is already in DER format:
sha256sum path/to/certificateTip
For SHA-384 or SHA-512, replace sha256sum with sha384sum or sha512sum as needed.