NuGet Warning NU3043
Invalid value for
--certificate-fingerprint
option in thedotnet nuget sign
command or theCertificateFingerprint
option in theNuGet.exe sign
command. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).
This warning is promoted to an error in the .NET 10 SDK, and will be promoted to an error in NuGet.exe around .NET 10's release.
Issue
Starting with .NET 9 and NuGet.exe 6.12, NU3043 warning is raised when a SHA-1 certificate fingerprint is passed to the sign commands. SHA-1 is considered insecure and should no longer be used.
Solution
To resolve this warning, ensure that you provide a valid SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal) for the --certificate-fingerprint
option in the dotnet nuget sign
command or the CertificateFingerprint
option in the NuGet.exe sign
command.
Customers can use the following PowerShell script to compute SHA-2 family hashes for certificates. To use the script, customers need to save the certificate to a local folder.
$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certPath)
$stream = [System.IO.MemoryStream]::new($certificate.RawData)
Try
{
(Get-FileHash -Algorithm SHA256 $stream).Hash
}
Finally
{
$stream.Dispose()
$certificate.Dispose()
}