NuGet Warning NU3043

Invalid value for --certificate-fingerprint option in the dotnet nuget sign command or the CertificateFingerprint option in the NuGet.exe sign command. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).

This warning is promoted to an error in the .NET 10 SDK, and will be promoted to an error in NuGet.exe around .NET 10's release.

Issue

Starting with .NET 9 and NuGet.exe 6.12, NU3043 warning is raised when a SHA-1 certificate fingerprint is passed to the sign commands. SHA-1 is considered insecure and should no longer be used.

Solution

To resolve this warning, ensure that you provide a valid SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal) for the --certificate-fingerprint option in the dotnet nuget sign command or the CertificateFingerprint option in the NuGet.exe sign command.

Customers can use the following PowerShell script to compute SHA-2 family hashes for certificates. To use the script, customers need to save the certificate to a local folder.

$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certPath)
$stream = [System.IO.MemoryStream]::new($certificate.RawData)

Try
{
    (Get-FileHash -Algorithm SHA256 $stream).Hash
}
Finally
{
    $stream.Dispose()
    $certificate.Dispose()
}