Document .NET 10 breaking change: SHA-1 fingerprint deprecation in dotnet nuget sign

Copilot · gewarren · Copilot · commit adebc0ca0b30 · 2025-08-11T22:34:39.000Z
Co-authored-by: gewarren &lt;24882762+gewarren@users.noreply.github.com&gt;
diff --git a/docs/core/compatibility/10.0.md b/docs/core/compatibility/10.0.md
@@ -97,6 +97,7 @@ If you're migrating an app to .NET 10, the breaking changes listed here might af
 | [Default workload configuration from 'loose manifests' to 'workload sets' mode](sdk/10.0/default-workload-config.md) | Behavioral change | Preview 2 |
 | [`dotnet package list` performs restore](sdk/10.0/dotnet-package-list-restore.md) | Behavioral change | Preview 4 |
 | [`dotnet restore` audits transitive packages](sdk/10.0/nugetaudit-transitive-packages.md) | Behavioral change | Preview 3 |
+| [SHA-1 fingerprint support deprecated in `dotnet nuget sign`](sdk/10.0/dotnet-nuget-sign-sha1-deprecated.md) | Behavioral change | Preview 1 |
 | [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md) | Behavioral change | Preview 1 |
 | [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md) | Behavioral change | Preview 1 |
 | [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md) | Source incompatible | Preview 1 |
diff --git a/docs/core/compatibility/sdk/10.0/dotnet-nuget-sign-sha1-deprecated.md b/docs/core/compatibility/sdk/10.0/dotnet-nuget-sign-sha1-deprecated.md
@@ -0,0 +1,55 @@
+---
+title: "Breaking change - SHA-1 fingerprint support deprecated in dotnet nuget sign"
+description: "Learn about the breaking change in .NET 10 where SHA-1 fingerprint support is deprecated in dotnet nuget sign command, promoting NU3043 warning to error."
+ms.date: 12/26/2024
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs/issues/47449
+---
+
+# SHA-1 fingerprint support deprecated in `dotnet nuget sign`
+
+Starting in .NET 10, the NU3043 warning is promoted to an error when using SHA-1 fingerprints with the `dotnet nuget sign` command. This change enforces the use of only strong, approved hash algorithms (SHA-2 family) for signing operations.
+
+## Version introduced
+
+.NET 10 Preview 1
+
+## Previous behavior
+
+In .NET 9 SDK, the `dotnet nuget sign` command accepted certificate fingerprints using SHA-1 and SHA-2 family algorithms (SHA256, SHA384, SHA512). If a SHA-1 fingerprint was used, a warning (NU3043) was issued, indicating the use of an insecure hashing algorithm, but the operation continued successfully.
+
+## New behavior
+
+Starting with .NET 10, the NU3043 warning is elevated to an error. This change blocks the use of SHA-1 fingerprints with the `--certificate-fingerprint` option in the `dotnet nuget sign` command, improving overall signing security.
+
+## Type of breaking change
+
+This is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+To enforce stronger security standards by disallowing the use of SHA-1 for certificate fingerprinting, which is considered cryptographically weak and vulnerable to collision attacks.
+
+## Recommended action
+
+Update the usage of `dotnet nuget sign` to use fingerprints from the SHA-2 family only:
+
+- **SHA256** (recommended)
+- **SHA384**
+- **SHA512**
+
+SHA-1 fingerprints must be removed or replaced to avoid NU3043 errors in .NET 10+.
+
+To generate SHA-256 fingerprints for certificates, you can use PowerShell:
+
+```powershell
+# Get SHA-256 fingerprint for a certificate file
+Get-PfxCertificate -FilePath "path\to\certificate.pfx" | Format-List Thumbprint
+
+# Get SHA-256 fingerprint from certificate store
+Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.Subject -like "*YourCertificateName*"} | Format-List Thumbprint
+```
+
+## Affected APIs
+
+- `dotnet nuget sign --certificate-fingerprint` command line option
diff --git a/docs/core/tools/dotnet-nuget-sign.md b/docs/core/tools/dotnet-nuget-sign.md
@@ -76,6 +76,8 @@ The `dotnet nuget sign` command signs all the packages matching the first argume
   Starting with .NET 9, this option can be used to specify the SHA-1, SHA-256, SHA-384, or SHA-512 fingerprint of the certificate.
   However, a `NU3043` warning is raised when a SHA-1 certificate fingerprint is used because it is no longer considered secure.
 
+  Starting with .NET 10, the `NU3043` warning is promoted to an error when using SHA-1 fingerprints, effectively blocking the use of SHA-1 for signing operations. Only SHA-2 family fingerprints (SHA-256, SHA-384, SHA-512) are supported.
+
   All the previous versions of the .NET SDK continue to accept only SHA-1 certificate fingerprint.
 
 - **`--certificate-password <PASSWORD>`**
@@ -123,10 +125,10 @@ The `dotnet nuget sign` command signs all the packages matching the first argume
   dotnet nuget sign foo.nupkg --certificate-path cert.pfx --certificate-password password
   ```
 
-- Sign *foo.nupkg* with certificate (password protected) matches with the specified SHA-1 fingerprint in the default certificate store (CurrentUser\My):
+- Sign *foo.nupkg* with certificate (password protected) matches with the specified SHA-256 fingerprint in the default certificate store (CurrentUser\My):
 
   ```dotnetcli
-  dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password
+  dotnet nuget sign foo.nupkg --certificate-fingerprint B2C40F2F8775D7B7EBEB76BD5A9D3A4BC3F4B8A4D8D7C5F8A4C6B3E7A9E2D5F1 --certificate-password password
   ```
 
 - Sign *foo.nupkg* with certificate (password protected) matches with the specified subject name :::no-loc text="\"Test certificate for testing signing\""::: in the default certificate store (CurrentUser\My):
@@ -135,10 +137,10 @@ The `dotnet nuget sign` command signs all the packages matching the first argume
   dotnet nuget sign foo.nupkg --certificate-subject-name "Test certificate for testing signing" --certificate-password password
   ```
 
-- Sign *foo.nupkg* with certificate (password protected) matches with the specified SHA-1 fingerprint in the certificate store CurrentUser\Root:
+- Sign *foo.nupkg* with certificate (password protected) matches with the specified SHA-256 fingerprint in the certificate store CurrentUser\Root:
 
   ```dotnetcli
-  dotnet nuget sign foo.nupkg --certificate-fingerprint 89967D1DD995010B6C66AE24FF8E66885E6E03A8 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root
+  dotnet nuget sign foo.nupkg --certificate-fingerprint B2C40F2F8775D7B7EBEB76BD5A9D3A4BC3F4B8A4D8D7C5F8A4C6B3E7A9E2D5F1 --certificate-password password --certificate-store-location CurrentUser --certificate-store-name Root
   ```
 
 - Sign multiple NuGet packages - *foo.nupkg* and *all .nupkg files in the directory specified* with certificate *cert.pfx* (not password protected):
