Package Signatures Technical Details

[rido-min]

Status: InReview

This issue should be used to discuss the spec Package Signatures Technical Details

Discussion should happen on this issue. Please link other issues with similar asks to this one

[hach-que]

Are there any impacts for third-party clients that push to nuget.org? I'm having to do work now because of the breaking change around the X-NuGet-Client-Version: 4.1.0 header, and I want to know if in the future Protobuild will suddenly be unable to push or pull to nuget.org because of package signing.

[rido-min]

@hach-que package signing is designed to be fully backwards compatible. This means that older clients can pull signed and unsigned packages. There are no new requirements for push, and NuGet.org will accept unsigned packages.

[rrelyea]

4.6 work on this specification is done.
We still need some (likely) 4.7 details determined during 4.6, so that we won't blow up with repo signatures in a package with 4.6 client.