Formats/Chocolatey

A private Chocolatey repository built for enterprise Windows teams

Cloudsmith gives Windows teams a fully managed, cloud-native private repository for Chocolatey packages. Push, pull, and govern nupkg files using native Chocolatey tooling, with no infrastructure to run and no compromises on security or control.

Universal format support

Chocolatey on Cloudsmith. Private Windows package management without the infrastructure burden.

  • Use Chocolatey + 30 other formats in a single repository
  • Manage nupkg packages alongside containers, raw binaries, and other OS formats
  • Centralize all Windows software artifacts in one governed, auditable store

How we support Chocolatey

Cloudsmith gives your Windows teams a fully managed Chocolatey repository with native tooling support, granular access controls, and the governance features that enterprise deployments require.
    Native Chocolatey support
    Push and pull nupkg files using the standard Chocolatey CLI and NuGet v2/v3 feed endpoints. Cloudsmith works with your existing choco tooling out of the box, with no workflow changes required.
    Governance and policy enforcement
    Create and enforce policies governing which packages are permitted in your repositories. Block specific versions, require specific metadata fields, or quarantine packages that do not meet your criteria before any team member installs them.
    Access control and entitlement tokens
    Issue scoped entitlement tokens to control who and what can read from your repositories. Combine with role-based permissions to give each team exactly the access they need, nothing more.
    Global distribution
    Packages are served from Cloudsmith's CDN-backed edge network, giving Windows endpoints fast, reliable installs regardless of where your teams or build agents are located.
    Full audit and observability
    Every push, pull, and policy event is logged. Use client logs and analytics to track which packages are installed, by whom, and when, giving you complete traceability across your software supply chain.

Why teams choose Cloudsmith for Chocolatey

Managing Windows software at scale with self-hosted or ad-hoc repositories creates real friction. Cloudsmith removes those bottlenecks so your teams can ship reliably.
Without CloudsmithTeams pull packages directly from the public Chocolatey community gallery, introducing unpredictable package quality and reliance on external maintainers who may go inactive without warning.
With CloudsmithYour own private repository holds vetted, internally owned packages. No dependency on external maintainers, no surprise breakage, and no unplanned installs from the public feed.
Without CloudsmithControlling which software versions reach Windows endpoints requires manual coordination. There is no central point to enforce standards, block unapproved versions, or quarantine non-compliant packages.
With CloudsmithPolicy rules automatically gate what enters your repositories. You can block specific versions, require metadata fields, and quarantine packages that fail your criteria before any endpoint can install them.
Without CloudsmithSelf-hosted NuGet servers or shared network shares have no meaningful audit trail. You cannot tell which packages were installed, on which machines, or by which pipelines.
With CloudsmithCloudsmith logs every upload, download, and policy event. You get a complete, searchable audit trail across all repositories, giving operations and security teams the visibility they need.

Signs you're ready to switch to Cloudsmith for Chocolatey

If your current setup is slowing deployments, limiting visibility, or leaving policy gaps, Cloudsmith is the upgrade your Windows software workflows need.
    Self-hosted repos you'd rather not maintain
    Running your own NuGet or Chocolatey server means patching, scaling, and troubleshooting infrastructure that isn't your core product. Cloudsmith takes that operational burden off your team entirely.
    No control over what packages reach endpoints
    If teams can install any package version from the public gallery, you have a governance gap. Cloudsmith lets you define exactly which packages and versions are permitted, and enforces those rules before anything reaches a machine.
    Zero visibility into package activity
    Without logs, you cannot answer basic questions about what software is installed across your fleet. Cloudsmith gives you a full audit trail covering every push, pull, and policy event.
    Slow installs for distributed Windows teams
    A single-region repository creates latency pain for remote build agents and globally distributed teams. Cloudsmith's CDN-backed edge network keeps install times fast wherever your endpoints are.
    Chocolatey isolated from the rest of your stack
    Siloed Windows package management fragments your software supply chain. Cloudsmith stores Chocolatey packages alongside 30 other formats, so every artifact type lives in one governed, observable platform.

Get started with Chocolatey on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith exposes a NuGet v2 feed endpoint that is fully compatible with the choco CLI. You add the repository as a source using choco sources add and then push and pull packages as normal. NuGet v3 feeds are also supported for Chocolatey v2.0 and above.

  2. Yes. You can host your own internal packages and also internalize packages from the public gallery, embedding software binaries directly so your installations do not rely on external download URLs or community maintainers.

  3. Cloudsmith supports entitlement token authentication and HTTP basic authentication using API keys or user credentials. Entitlement tokens are scoped and can be distributed to endpoints without exposing user credentials, making them the preferred choice for automated deployments.

  4. Yes. Cloudsmith's policy engine lets you define rules governing which packages and versions are permitted. You can block specific versions, require metadata fields such as package descriptions or authors, and automatically quarantine packages that do not meet your criteria before any endpoint can install them.

  5. Yes. Cloudsmith supports both NuGet v2 and NuGet v3 feed endpoints. Chocolatey v2.0 and later can use NuGet v3 sources, and Cloudsmith's v3 feed is fully compatible with this.

  6. Yes. All Cloudsmith repositories are multi-format. You can store Chocolatey nupkg files in the same repository as Debian, RPM, PowerShell, Raw, or any of the 30+ other supported formats, giving you a single governed artifact store for your entire Windows and cross-platform software supply chain.

  7. You can upload existing nupkg files to Cloudsmith using the Cloudsmith CLI, the web app, or the REST API. Once uploaded, you update your choco source configuration to point to the Cloudsmith feed URL. Cloudsmith's contextual setup instructions include pre-configured snippets for your specific workspace and repository.

  8. Cloudsmith provides a full audit log covering every upload, download, and policy event across your repositories. You can query logs via the web app, API, or CLI, and export data into third-party analysis tools for deeper reporting.

  9. Yes. Cloudsmith works with Azure DevOps, GitHub Actions, Jenkins, TeamCity, and other CI/CD platforms. You reference Cloudsmith repositories as package sources in your pipeline configurations, and authenticate using API keys or entitlement tokens.

  10. Yes. Cloudsmith is a fully managed, cloud-native platform with no infrastructure for you to run or scale. Its CDN-backed edge network serves packages globally, keeping install times fast across large fleets of Windows endpoints and distributed build agents.

Formats

There’s more than just Chocolatey on Cloudsmith