Summary
Add NuGet package signing and package authenticity checks for ModularityKit.Mutator release artifacts.
Goal
Increase trust in published packages by ensuring NuGet artifacts are signed, verifiable, and produced through a reproducible release path.
Problem
The repository produces .NET packages that may be consumed by external users or downstream build pipelines. Without package signing, consumers have fewer guarantees about package origin and artifact integrity, and the release workflow has less supply chain hardening than it should.
As the project matures, package provenance should become first class release concern rather than an afterthought. This is especially important if the repo publishes public packages or expects downstream automation to consume them in CI/CD environments.
Scope
Design Expectations
- The signing flow should be explicit and easy to audit.
- Signing should integrate with existing pack/publish steps rather than introducing a parallel release path.
- Secrets and certificate material should be handled through the normal CI secret model.
- Local development should remain possible without exposing signing material.
- Verification should fail loudly when a release artifact is unsigned or signed with the wrong material.
Suggested Deliverables
- Signed NuGet packages produced by release builds
- Build or CI validation for package signing
- Release documentation covering certificate setup and verification
- Optional local validation command for checking signature status
Acceptance Criteria
Non Goals
- This issue does not change runtime behavior
- This issue does not alter package APIs or package contents beyond signature metadata
- This issue does not design full release automation system by itself
- This issue does not require new external signing service if the repository can use an existing signing approach
Notes
If the repository already has preferred certificate or enterprise signing path, use that. Otherwise, the implementation should propose the least surprising and lowest friction signing setup that works with the current build pipeline.
Summary
Add NuGet package signing and package authenticity checks for
ModularityKit.Mutatorrelease artifacts.Goal
Increase trust in published packages by ensuring NuGet artifacts are signed, verifiable, and produced through a reproducible release path.
Problem
The repository produces .NET packages that may be consumed by external users or downstream build pipelines. Without package signing, consumers have fewer guarantees about package origin and artifact integrity, and the release workflow has less supply chain hardening than it should.
As the project matures, package provenance should become first class release concern rather than an afterthought. This is especially important if the repo publishes public packages or expects downstream automation to consume them in CI/CD environments.
Scope
Design Expectations
Suggested Deliverables
Acceptance Criteria
Non Goals
Notes
If the repository already has preferred certificate or enterprise signing path, use that. Otherwise, the implementation should propose the least surprising and lowest friction signing setup that works with the current build pipeline.