Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Invalid value for
--certificate-fingerprintoption in thedotnet nuget signcommand or theCertificateFingerprintoption in theNuGet.exe signcommand. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).
This warning is promoted to an error in the .NET 10 SDK, and will be promoted to an error in NuGet.exe around .NET 10's release.
Issue
Starting with .NET 9 and NuGet.exe 6.12, NU3043 warning is raised when a SHA-1 certificate fingerprint is passed to the sign commands. SHA-1 is considered insecure and should no longer be used.
Solution
To resolve this warning, ensure that you provide a valid SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal) for the --certificate-fingerprint option in the dotnet nuget sign command or the CertificateFingerprint option in the NuGet.exe sign command.
You can use the following scripts to compute SHA-2 family hashes for certificates.
PowerShell
To use the script, you need to save the certificate to a local folder.
$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certPath)
$stream = [System.IO.MemoryStream]::new($certificate.RawData)
Try
{
(Get-FileHash -Algorithm SHA256 $stream).Hash
}
Finally
{
$stream.Dispose()
$certificate.Dispose()
}
OpenSSL (Linux/macOS)
If the certificate is in PEM or CRT format:
openssl x509 -in path/to/certificate -outform der | sha256sum
If the certificate is already in DER format:
sha256sum path/to/certificate
Tip
For SHA-384 or SHA-512, replace sha256sum with sha384sum or sha512sum as needed.