Caution
Please report security bugs in .NET and other Microsoft projects via https://msrc.microsoft.com/report/
Security bugs in .NET reported via MSRC can be eligble for the .NET Bug Bounty.
- 💼 For work I try to keep .NET and its ecosystem secure through design reviews, threat models and other processes.
- 🏠 Here I write bad code including code for
- 🦋 Wrapping AtProto and Bluesky APIs in a .NET class library,
- 🔐 Random security classes for .NET, including an SSRF protection library.
- 🔐 Authentication middleware for ASP.NET Core,
- 🔓 Examples of insecure code for demonstrations and conferences talks.
📇 You can reach me on Bluesky as blowdart.me
Run the following PowerShell command on Windows to validate the signature of a file. Compare the SignerCertificate with the SHA1
Thumbprint column in above table to ensure it is signed with a valid certificate.
Get-AuthenticodeSignature [-FilePath]Run the following command on Windows or Linux with a .NET SDK installed to validate the signature of a file. Compare the SHA256 hash under
Signature Type: Author with the SHA256 Thumbprint column in above table to ensure it is signed with a valid certificate.
dotnet nuget verify [<package-path(s)>]Pre-release builds hosted on MyGet are signed with Azure Artifact Signing, which uses a short-lived certificate. You can verify that the certificate is issued to "CN=Barry Dorrans, O=Barry Dorrans, L=Bothell, S=Washington, C=US", with a root CA of "CN=Microsoft Identity Verification Root Certificate Authority 2020"
To view the full certificate chain in dotnet nuget verify use the -v detailed option;
dotnet nuget verify [<package-path(s)>] -v detailed