Skip to content

[Task]: Add NuGet package signing and authenticity checks #50

Description

@rian-be

Summary

Add NuGet package signing and package authenticity checks for ModularityKit.Mutator release artifacts.

Goal

Increase trust in published packages by ensuring NuGet artifacts are signed, verifiable, and produced through a reproducible release path.

Problem

The repository produces .NET packages that may be consumed by external users or downstream build pipelines. Without package signing, consumers have fewer guarantees about package origin and artifact integrity, and the release workflow has less supply chain hardening than it should.

As the project matures, package provenance should become first class release concern rather than an afterthought. This is especially important if the repo publishes public packages or expects downstream automation to consume them in CI/CD environments.

Scope

  • Add NuGet package signing to the release pipeline
  • Define the signing certificate or signing approach used by the repository
  • Configure build and pack steps so signed packages are emitted consistently
  • Add verification steps so package authenticity can be checked in CI or release validation
  • Document the signing workflow, required secrets, and local developer expectations
  • Ensure signing changes do not alter package contents beyond the expected signature metadata
  • Keep the implementation compatible with the repository's current packaging and release flow

Design Expectations

  • The signing flow should be explicit and easy to audit.
  • Signing should integrate with existing pack/publish steps rather than introducing a parallel release path.
  • Secrets and certificate material should be handled through the normal CI secret model.
  • Local development should remain possible without exposing signing material.
  • Verification should fail loudly when a release artifact is unsigned or signed with the wrong material.

Suggested Deliverables

  • Signed NuGet packages produced by release builds
  • Build or CI validation for package signing
  • Release documentation covering certificate setup and verification
  • Optional local validation command for checking signature status

Acceptance Criteria

  • Release packages are signed through the repository's standard release path
  • The signing configuration is documented and discoverable
  • CI or release validation can detect missing or invalid signatures
  • Package signing does not change the public package surface area
  • The implementation is compatible with current .NET packaging conventions used by the repo

Non Goals

  • This issue does not change runtime behavior
  • This issue does not alter package APIs or package contents beyond signature metadata
  • This issue does not design full release automation system by itself
  • This issue does not require new external signing service if the repository can use an existing signing approach

Notes

If the repository already has preferred certificate or enterprise signing path, use that. Otherwise, the implementation should propose the least surprising and lowest friction signing setup that works with the current build pipeline.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ciCI/CD and repository automation changes

    Type

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions