---
title: "Verify the integrity of NuGet packages with native signing"
description: "Cloudsmith now supports natively signing all NuGet packages using an X.509 certificate. This feature enables consumers to verify a package’s repository signatures in native tooling using the NuGet or .NET CLI, ensuring integrity and authenticity."
canonical_url: "https://cloudsmith.com/changelog/verify-the-integrity-of-nuget-packages-with-native-signing"
last_updated: "2025-03-25T09:07:00.000Z"
---
# Verify the integrity of NuGet packages with native signing

Cloudsmith now supports natively signing all NuGet packages using an X.509 certificate. This feature enables consumers to verify a package’s repository signatures in native tooling using the NuGet or .NET CLI, ensuring integrity and authenticity.

#### How it works

When NuGet native signing is enabled for a Cloudsmith repository:

- A unique X.509 certificate is issued for that repository.
- A repository signature is generated when a NuGet package is uploaded or resynced, and the signing certificate is included in the NuGet repository signature index.
- Consumers can verify a package’s repository signature locally using native tooling such as the NuGet or .NET CLI, confirming that the package originated from Cloudsmith.

For repositories with NuGet native signing and NuGet upstreams configured:

- Cloudsmith indexes the upstream repository’s RepositorySignature endpoint from the NuGet service index.
- Upstream signatures are also passed through for verification.

#### Why this matters

Signed packages enable integrity verification, mitigating risks of content tampering. The package’s repository signatures serve as proof of origin, providing consumers a reliable way to authenticate packages before use.

To get started with native signing for NuGet, please see [Signing NuGet Packages](https://help.cloudsmith.io/docs/signing-nuget-packages) for more information.
