Search code examples
nugetchecksum

Is there a way to do a checksum for a given Nuget package?

I've been looking for a way to check that a file hasn't been tampered. Is there a checksum for Nuget packages?

Solution

  • Yes, NuGet packages do have a checksum. As per this link, <packageId>.<packageVersion>.nupkg.sha512 contains the hash of the .nupkg file itself. As the packages uploaded on nuget.org started being repo-signed a while ago, there's also a separate file named .nupkg.metadata that contains the hash of the file before the signature itself was applied.

    The files containing the 2 hashes mentioned above however are generated after the .nupkg file is retrieved from nuget.org and installed by the NuGet client, which kinda makes it impossible to check that the downloaded .nupkg hasn't been tampered with in the first place.

    How is the integrity of the files ensured then ? Through a signature file called .signature.p7s, itself stored within the .nupkg file. The way to use the information in this file is by issuing a nuget.exe verify -all <nupkg_file>, as per the latest link above (nuget.exe can be downloaded from here).

    Here's how the result looks like on a file that has been tampered with (for the test I've used the CommandLineParser NuGet package and had its license.md file removed from within the .nupkg file):

    enter image description here