dotnet · BillWagner · Aug 14, 2025 · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025
@@ -2,14 +2,14 @@
 title: What's new in .NET libraries for .NET 10
 description: Learn about the updates to the .NET libraries for .NET 10.
 titleSuffix: ""
-ms.date: 07/16/2025
+ms.date: 08/12/2025
 ms.topic: whats-new
 ai-usage: ai-assisted
 ---
 
 # What's new in .NET libraries for .NET 10
 
-This article describes new features in the .NET libraries for .NET 10. It's been updated for Preview 6.
+This article describes new features in the .NET libraries for .NET 10.
 
 ## Cryptography
 
@@ -113,6 +113,73 @@
 
 The PQC algorithms are available on systems where the system cryptographic libraries are OpenSSL 3.5 (or newer) or Windows CNG with PQC support. Also, the new classes are all marked as [`[Experimental]`](../../../fundamentals/syslib-diagnostics/experimental-overview.md) under diagnostic `SYSLIB5006` until development is complete.
 
+#### ML-DSA enhancements
+
+The <xref:System.Security.Cryptography.MLDsa> class gained ease-of-use updates, allowing some common code patterns to be simplified:
+
+```diff
+private static byte[] SignData(string privateKeyPath, ReadOnlySpan<byte> data)
+{
+    using (MLDsa signingKey = MLDsa.ImportFromPem(File.ReadAllBytes(privateKeyPath)))
+    {
+-       byte[] signature = new byte[signingKey.Algorithm.SignatureSizeInBytes];
+-       signingKey.SignData(data, signature);
++       return signingKey.SignData(data);
+-       return signature;
+    }
+}
+```
+
+Additionally, this release added support for HashML-DSA, which is called "PreHash" to help distinguish it from "pure" ML-DSA. As the underlying specification interacts with the Object Identifier (OID) value, the SignPreHash and VerifyPreHash methods on this `[Experimental]` type take the dotted-decimal OID as a string. This might evolve as more scenarios using HashML-DSA become well-defined.
+
+```csharp
+private static byte[] SignPreHashSha3_256(MLDsa signingKey, ReadOnlySpan<byte> data)
+{
+    const string Sha3_256Oid = "2.16.840.1.101.3.4.2.8";
+    return signingKey.SignPreHash(SHA3_256.HashData(data), Sha3_256Oid);
+}
+```
+
+#### Composite ML-DSA
+
+This release also introduces new types to support ietf-lamps-pq-composite-sigs (currently at draft 7), and an implementation of the primitive methods for RSA variants.
+
+```csharp
+var algorithm = CompositeMLDsaAlgorithm.MLDsa65WithRSA4096Pss;
+using var privateKey = CompositeMLDsa.GenerateKey(algorithm);
+
+byte[] data = [42];
+byte[] signature = privateKey.SignData(data);
+
+using var publicKey = CompositeMLDsa.ImportCompositeMLDsaPublicKey(algorithm, privateKey.ExportCompositeMLDsaPublicKey());
+Console.WriteLine(publicKey.VerifyData(data, signature)); // True
+
+signature[0] ^= 1; // Tamper with signature
+Console.WriteLine(publicKey.VerifyData(data, signature)); // False
+```
+
+### AES KeyWrap with Padding (IETF RFC 5649)
+
+AES-KWP is an algorithm that is occasionally used in constructions like Cryptographic Message Syntax (CMS) EnvelopedData, where content is encrypted once, but the decryption key needs to be distributed to multiple parties, each one in a distinct secret form.
+
+.NET now supports the AES-KWP algorithm via instance methods on the <xref:System.Security.Cryptography.Aes> class:
+
+```csharp
+private static byte[] DecryptContent(ReadOnlySpan<byte> kek, ReadOnlySpan<byte> encryptedKey, ReadOnlySpan<byte> ciphertext)
+{
+    using (Aes aes = Aes.Create())
+    {
+        aes.SetKey(kek);
+
+        Span<byte> dek = stackalloc byte[256 / 8];
+        int length = aes.DecryptKeyWrapPadded(encryptedKey, dek);
+
+        aes.SetKey(dek.Slice(0, length));
+        return aes.DecryptCbc(ciphertext);
+    }
+}
+```
+
 ## Globalization and date/time
 
 - [New method overloads in ISOWeek for DateOnly type](#new-method-overloads-in-isoweek-for-dateonly-type)
@@ -183,6 +250,7 @@
 - [Allow specifying ReferenceHandler in `JsonSourceGenerationOptions`](#allow-specifying-referencehandler-in-jsonsourcegenerationoptions)
 - [Option to disallow duplicate JSON properties](#option-to-disallow-duplicate-json-properties)
 - [Strict JSON serialization options](#strict-json-serialization-options)
+- [PipeReader support for JSON serializer](#pipereader-support-for-json-serializer)
 
 ### Allow specifying ReferenceHandler in `JsonSourceGenerationOptions`
 
@@ -224,6 +292,37 @@
 
 For more information about JSON serialization, see [System.Text.Json overview](../../../standard/serialization/system-text-json/overview.md).
 
+### PipeReader support for JSON serializer
+
+<xref:System.Text.Json.JsonSerializer.Deserialize%2A?displayProperty=nameWithType> now supports <xref:System.IO.Pipelines.PipeReader>, complementing the existing <xref:System.IO.Pipelines.PipeWriter> support. Previously, deserializing from a `PipeReader` required converting it to a <xref:System.IO.Stream>, but the new overloads eliminate that step by integrating `PipeReader` directly into the serializer. As a bonus, not having to convert from what you're already holding can yield some efficiency benefits.
+
+This shows the basic usage:
+
+:::code language="csharp" source="snippets/csharp/PipeReaderBasic.cs":::
+
+Here is an example of a producer that produces tokens in chunks and a consumer that receives and displays them:
+
+:::code language="csharp" source="snippets/csharp/PipeReaderChunks.cs":::
+
+Note that all of this is serialized as JSON in the <xref:System.IO.Pipelines.Pipe> (formatted here for readability):
+
+```json
+[
+    {
+        "Message": "The quick brown fox",
+        "Timestamp": "2025-08-01T18:37:27.2930151-07:00"
+    },
+    {
+        "Message": " jumps over",
+        "Timestamp": "2025-08-01T18:37:27.8594502-07:00"
+    },
+    {
+        "Message": " the lazy dog.",
+        "Timestamp": "2025-08-01T18:37:28.3753669-07:00"
+    }
+]
+```
+
 ## System.Numerics
 
 - [More left-handed matrix transformation methods](#more-left-handed-matrix-transformation-methods)
@@ -328,3 +427,86 @@
 
 - Eliminates repeated allocation of ~64-80 bytes of memory per concatenated stream, with additional unmanaged memory savings.
 - Reduces execution time by approximately 400 ns per concatenated stream.
+
+## Windows process management
+
+### Launch Windows processes in new process group
+
+For Windows, you can now use <xref:System.Diagnostics.ProcessStartInfo.CreateNewProcessGroup?displayProperty=nameWithType> to launch a process in a separate process group. This allows you to send isolated signals to child processes which could otherwise take down the parent without proper handling. Sending signals is convenient to avoid forceful termination.
+
+:::code language="csharp" source="snippets/csharp/ProcessGroup.cs":::
+
+## WebSocket enhancements
+
+### WebSocketStream
+
+.NET 10 introduces `WebSocketStream`, a new API designed to simplify some of the most common—and previously cumbersome—<xref:System.Net.WebSockets.WebSocket> scenarios in .NET.
+
+Traditional `WebSocket` APIs are low-level and require significant boilerplate: handling buffering and framing, reconstructing messages, managing encoding/decoding, and writing custom wrappers to integrate with streams, channels, or other transport abstractions. These complexities make it difficult to use WebSockets as a transport, especially for apps with streaming or text-based protocols, or event-driven handlers.
+
+`WebSocketStream` addresses these pain points by providing a <xref:System.IO.Stream>-based abstraction over a WebSocket. This enables seamless integration with existing APIs for reading, writing, and parsing data, whether binary or text, and reduces the need for manual plumbing.
+
+#### Common usage patterns
+
+Here are a few examples of how `WebSocketStream` simplifies typical WebSocket workflows:
+
+##### Streaming text protocol (for example, STOMP)
+
+:::code language="csharp" source="snippets/csharp/WebSocketStreamText.cs":::
+
+##### Streaming binary protocol (for example, AMQP)
+
+:::code language="csharp" source="snippets/csharp/WebSocketStreamBinary.cs":::
+
+##### Reading a single message as a stream (for example, JSON deserialization)
+
+:::code language="csharp" source="snippets/csharp/WebSocketStreamRead.cs":::
+
+##### Writing a single message as a stream (for example, binary serialization)
+
+:::code language="csharp" source="snippets/csharp/WebSocketStreamWrite.cs":::
+
+`WebSocketStream` enables high-level, familiar APIs for common WebSocket consumption and production patterns—reducing friction and making advanced scenarios easier to implement.
+
+## TLS enhancements
+
+### TLS 1.3 for macOS (client)
+
+.NET 10 adds client-side TLS 1.3 support on macOS by integrating Apple's Network.framework into <xref:System.Net.Security.SslStream> and <xref:System.Net.Http.HttpClient>. Historically, macOS used Secure Transport which doesn't support TLS 1.3; opting into Network.framework enables TLS 1.3.
+
+#### Scope and behavior
+
+- macOS only, client-side in this release.
+- Opt-in. Existing apps continue to use the current stack unless enabled.
+- When enabled, older TLS versions (TLS 1.0 and 1.1) might no longer be available via Network.framework.
+
+#### How to enable
+
+Use an AppContext switch in code:
+
+```csharp
+// Opt in to Network.framework-backed TLS on Apple platforms
+AppContext.SetSwitch("System.Net.Security.UseNetworkFramework", true);
+
+using var client = new HttpClient();
+var html = await client.GetStringAsync("https://example.com");
+```
+
+Or use an environment variable:
+
+```bash
+# Opt-in via environment variable (set for the process or machine as appropriate)
+DOTNET_SYSTEM_NET_SECURITY_USENETWORKFRAMEWORK=1
+# or
+DOTNET_SYSTEM_NET_SECURITY_USENETWORKFRAMEWORK=true
+```
+
+#### Notes
+
+- Applies to <xref:System.Net.Security.SslStream> and APIs built on it (for example, <xref:System.Net.Http.HttpClient>/<xref:System.Net.Http.HttpMessageHandler>).
+- Cipher suites are controlled by macOS via Network.framework.
+- Underlying stream behavior might differ when Network.framework is enabled (for example, buffering, read/write completion, cancellation semantics).
+- Zero-byte reads: semantics might differ. Avoid relying on zero-length reads for detecting data availability.
+- Internationalized domain names (IDN): certain IDN hostnames might be rejected by Network.framework. Prefer ASCII/Punycode (A-label) hostnames or validate names against macOS/Network.framework constraints.
+- If your app relies on specific <xref:System.Net.Security.SslStream> edge-case behavior, validate it under Network.framework.
+
@@ -2,14 +2,14 @@
 title: What's new in .NET 10
 description: Learn about the new features introduced in .NET 10 for the runtime, libraries, and SDK. Also find links to what's new in other areas, such as ASP.NET Core.
 titleSuffix: ""
-ms.date: 07/16/2025
+ms.date: 08/12/2025
 ms.topic: whats-new
 ai-usage: ai-assisted
 ---
 
 # What's new in .NET 10
 
-Learn about the new features in .NET 10 and find links to further documentation. This page has been updated for Preview 6.
+Learn about the new features in .NET 10 and find links to further documentation.
 
 .NET 10, the successor to [.NET 9](../dotnet-9/overview.md), is [supported for three years](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) as a long-term support (LTS) release. You can [download .NET 10 here](https://get.dot.net/10).
 
@@ -23,14 +23,14 @@ For more information, see [What's new in the .NET 10 runtime](runtime.md).
 
 ## .NET libraries
 
-The .NET 10 libraries introduce new APIs in cryptography, globalization, numerics, serialization, collections, and diagnostics, and when working with ZIP files. New JSON serialization options include disallowing duplicate properties and strict serialization settings. Post-quantum cryptography support has been expanded with Windows Cryptography API: Next Generation (CNG) support.
+The .NET 10 libraries introduce new APIs in cryptography, globalization, numerics, serialization, collections, and diagnostics, and when working with ZIP files. New JSON serialization options include disallowing duplicate properties, strict serialization settings, and PipeReader support for improved efficiency. Post-quantum cryptography support has been expanded with Windows Cryptography API: Next Generation (CNG) support, enhanced ML-DSA with simplified APIs and HashML-DSA support, plus Composite ML-DSA. Additional cryptography enhancements include AES KeyWrap with Padding support. New networking capabilities include WebSocketStream for simplified WebSocket usage and TLS 1.3 support for macOS clients. Process management gains Windows process group support for better signal isolation.
 
 For more information, see [What's new in the .NET 10 libraries](libraries.md).
 For details on JSON serialization, see [System.Text.Json overview](/dotnet/standard/serialization/system-text-json/overview).
 
 ## .NET SDK
 
-The .NET 10 SDK includes support for [Microsoft.Testing.Platform](../../testing/microsoft-testing-platform-intro.md) in `dotnet test`, standardizes CLI command order, and updates the CLI to generate native tab-completion scripts for popular shells. For containers, console apps can natively create container images, and a new property lets you explicitly set the format of container images. The SDK also supports platform-specific .NET tools, one-shot tool execution with `dotnet tool exec`, the new `dnx` tool execution script, CLI introspection with `--cli-schema`, and enhanced file-based apps with publish support and native AOT.
+The .NET 10 SDK includes support for [Microsoft.Testing.Platform](../../testing/microsoft-testing-platform-intro.md) in `dotnet test`, standardizes CLI command order, and updates the CLI to generate native tab-completion scripts for popular shells. For containers, console apps can natively create container images, and a new property lets you explicitly set the format of container images. The SDK also supports platform-specific .NET tools with enhanced compatibility via the `any` RuntimeIdentifier, one-shot tool execution with `dotnet tool exec`, the new `dnx` tool execution script, CLI introspection with `--cli-schema`, and enhanced file-based apps with publish support and native AOT.
 
 For more information, see [What's new in the SDK for .NET 10](sdk.md).
 For details on .NET tools, see [Manage .NET tools](/dotnet/core/tools/global-tools).

@@ -2,13 +2,13 @@
 title: What's new in .NET 10 runtime
 description: Learn about the new features introduced in the .NET 10 runtime.
 titleSuffix: ""
-ms.date: 07/16/2025
+ms.date: 08/12/2025
 ms.topic: whats-new
 ai-usage: ai-assisted
 ---
 # What's new in the .NET 10 runtime
 
-This article describes new features and performance improvements in the .NET runtime for .NET 10. It has been updated for Preview 6.
+This article describes new features and performance improvements in the .NET runtime for .NET 10.
 
 ## JIT compiler improvements
 

@@ -2,14 +2,14 @@
 title: What's new in the SDK and tooling for .NET 10
 description: Learn about the new .NET SDK features introduced in .NET 10.
 titleSuffix: ""
-ms.date: 07/16/2025
+ms.date: 08/12/2025
 ms.topic: whats-new
 ai-usage: ai-assisted
 ---
 
 # What's new in the SDK and tooling for .NET 10
 
-This article describes new features and enhancements in the .NET SDK for .NET 10. It has been updated for Preview 6.
+This article describes new features and enhancements in the .NET SDK for .NET 10.
 
 ## .NET tools enhancements
 
@@ -59,6 +59,30 @@ The actual implementation of the `dnx` command is in the `dotnet` CLI itself, al
 
 For more information about managing .NET tools, see [Manage .NET tools](../../tools/global-tools.md).
 
+### Use the `any` RuntimeIdentifier with platform-specific .NET tools
+
+The [platform-specific .NET tools](#platform-specific-net-tools) feature is great for making sure tools are optimized for specific platforms that you target ahead-of-time. However, there are times where you won't know all of the platforms that you'd like to target, or sometimes .NET itself will learn how to support a new platform, and you'd like your tool to be runnable there too.
+
+.NET is great at this - the platform at its heart is meant to support this kind of platform-agnostic execution. To make platform-specific .NET tools work this way, you only need to add one thing to your project file: the `any` Runtime Identifier.
+
+```diff
+<PropertyGroup>
+  <RuntimeIdentifiers>
+        linux-x64;
+        linux-arm64;
+        macos-arm64;
+        win-x64;
+-       win-arm64
++       win-arm64;
++       any
+  </RuntimeIdentifiers>
+</PropertyGroup>
+```
+
+This RuntimeIdentifier is at the 'root' of the platform-compatibility checking, and since it declares support for _any_ platform, the tool that gets packaged will be the most compatible kind of tool - a framework-dependent, platform-agnostic .NET dll, which requires a compatible .NET Runtime to execute. When you perform a `dotnet pack` to create your tool, you'll see a new package for the `any` RuntimeIdentifier appear alongside the other platform-specific packages and the top-level manifest package.
+
+This is the exact same kind of tool that you would make in .NET 9 and earlier, but now it fits into the overall goal of enabling platform-specific .NET tools!
+
 ### CLI introspection with `--cli-schema`
 
 A new `--cli-schema` option is available on all CLI commands. When used, it outputs a JSON representation of the CLI command tree for the invoked command or subcommand. This is useful for tool authors, shell integration, and advanced scripting.

@@ -0,0 +1,19 @@
+using System;
+using System.IO.Pipelines;
+using System.Text.Json;
+using System.Threading.Tasks;
+
+var pipe = new Pipe();
+
+// Serialize to writer
+await JsonSerializer.SerializeAsync(pipe.Writer, new Person("Alice"));
+await pipe.Writer.CompleteAsync();
+
+// Deserialize from reader
+var result = await JsonSerializer.DeserializeAsync<Person>(pipe.Reader);
+await pipe.Reader.CompleteAsync();
+
+Console.WriteLine($"Your name is {result.Name}.");
+// Output: Your name is Alice.
+
+record Person(string Name);
@@ -0,0 +1,51 @@
+using System;
+using System.Collections.Generic;
+using System.IO.Pipelines;
+using System.Text.Json;
+using System.Threading.Tasks;
+
+var pipe = new Pipe();
+
+// Producer writes to the pipe in chunks
+var producerTask = Task.Run(async () =>
+{
+    async static IAsyncEnumerable<Chunk> GenerateResponse()
+    {
+        yield return new Chunk("The quick brown fox", DateTime.Now);
+        await Task.Delay(500);
+        yield return new Chunk(" jumps over", DateTime.Now);
+        await Task.Delay(500);
+        yield return new Chunk(" the lazy dog.", DateTime.Now);
+    }
+
+    await JsonSerializer.SerializeAsync<IAsyncEnumerable<Chunk>>(pipe.Writer, GenerateResponse());
+    await pipe.Writer.CompleteAsync();
+});
+
+// Consumer reads from the pipe and outputs to console
+var consumerTask = Task.Run(async () =>
+{
+    var thinkingString = "...";
+    var clearThinkingString = new string("\b\b\b");
+    var lastTimestamp = DateTime.MinValue;
+
+    // Read response to end
+    Console.Write(thinkingString);
+    await foreach (var chunk in JsonSerializer.DeserializeAsyncEnumerable<Chunk>(pipe.Reader))
+    {
+        Console.Write(clearThinkingString);
+        Console.Write(chunk.Message);
+        Console.Write(thinkingString);
+        lastTimestamp = DateTime.Now;
+    }
+
+    Console.Write(clearThinkingString);
+    Console.WriteLine($" Last message sent at {lastTimestamp}.");
+
+    await pipe.Reader.CompleteAsync();
+});
+
+await producerTask;
+await consumerTask;
+
+record Chunk(string Message, DateTime Timestamp);