Open Source Security
NuGet Package Signing Status in 2026
NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.
Feb 17, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.
dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-deterministic in ways that matter more.
Source generators are C# code that executes during compilation with developer privileges. The .NET equivalent of Rust's proc macros — and the same underexamined attack surface.
Listing every CVE in your NuGet dependency tree is easy. Turning it into a dashboard someone can act on is the work. A practical design.
Private NuGet feeds sit in the blind spot of most security programs. The hardening work is not glamorous but the failure modes are expensive.
Central Package Management pulled NuGet's multi-project version chaos into a single source of truth. The security implications run deeper than the ergonomics suggest.
Auditing a .NET supply chain is a different exercise than auditing a JavaScript one, and the patterns that actually find problems are specific to how the ecosystem works.
Rolling NuGet package signing enforcement across a large .NET estate is a policy and tooling problem, not a cryptography problem. Here is how it actually goes.
Securing your .NET supply chain with NuGet package signing, lock files, and vulnerability scanning.
Weekly insights on software supply chain security, delivered to your inbox.