Package 'Telerik.Reporting.OpenXmlRendering 19.0.25.313' from source 'https://nuget.telerik.com/v3/index.json': This package is signed but not by a trusted signer.
1 Answer, 1 is accepted
Hello Francis,
Thank you for reaching out, I have personally downloaded the file and checked the signature validation myself and can confirm that it is in fact signed using our trusted HSM-backed certificate.
Here's the output:
You can do this yourself by running the dotnet nuget verify command.
Next Steps
As to why your file has been modified? I cannot say, maybe you have a corporate network that is modifying files, or there's a proxy in the middle, but this is exactly why signatures are used in the first place.
So, what I would do if I were you, I would clear my nuget cache and then get a fresh copy of the packages.
1. Clear the cache
dotnet nuget locals all --clear2. Rebuild your application to force a package restore.
This depends on what kind of project you are using Telerik Reporting in, but for most things, you can just use VS2022; do a Clean first, followed by a Rebuild.
Alternatively, if it is a project that uses the new SDK style csproj (i.e. NET Core projects), then you can use the .NET CLI to restore packages and build the project
# Step 1. Restore packages
# Note, if you dont have a custom nuget.config, the default nuget config is at %appdata%/Roaming/NuGet/NuGet.Config
dotnet restore path/to/your.csproj --configfile path/to/your/nuget.config
# Step 2. Build project
dotnet build path/to/your.csproj --no-restoreRegards,
Lance | Senior Manager Technical Support
Progress Telerik
Enjoyed our products? Share your experience on G2 and receive a $25 Amazon gift card for a limited time!
Rank 1
Iron
Iron
Iron
Thanks, Lance!
I have a trustedSigners in my nuget config for nuget.org with their three certificates' fingerprints. Could you check in your global nuget config file if you have one for Telerik? Or your code signing certificate may already exist in your certificate store. Try in a virtual machine.
Hi Francis, ah, thank you for clarifying. This warning is because itlooks like you haven't added us as an author (or the repository) to your trusted signers list.
While we have a couple packages on nuget.org, the overwhelming majority of them are from nuget.telerik.com. Try adding a new author/repository to the trustedSigners for our packages.
Here is the important docs on this topic:
- https://learn.microsoft.com/en-us/nuget/consume-packages/installing-signed-packages#trust-all-packages-from-a-repository
- https://learn.microsoft.com/en-us/nuget/consume-packages/installing-signed-packages#trust-package-owners
You can get the all certs thumbprints by running the dotnet nuget verify <path-to-pkg-file> --all command.
For your convenience, here's the output of running that again Telerik Reporting:
Signature type: Author Subject Name: CN=PROGRESS SOFTWARE CORPORATION, O=PROGRESS SOFTWARE CORPORATION, STREET=15 Wayside Rd Ste 400, L=Burlington, S=Massachusetts, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=5743582, OID.2.5.4.15=Private Organization SHA256 hash: 9A90F66CD8CFB86B3BA332010422F4767949E18C256B2D5996BEB0A4239D49F2 Valid from: 10/11/2024 3:16:24 PM to 11/27/2025 10:45:04 AM
then add the following author to your section:
<trustedSigners>
<author name="PROGRESS SOFTWARE CORPORATION">
<certificate fingerprint="9A90F66CD8CFB86B3BA332010422F4767949E18C256B2D5996BEB0A4239D49F2" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</author>
</trustedSigners>I would recommend using a trusted author, instead of a repository, because then you'll be able to use our oackages that live on nuget.org, too.
Notes:
- If you have a problem with using the shortname, try the full name "CN=PROGRESS SOFTWARE CORPORATION, O=PROGRESS SOFTWARE CORPORATION, STREET=15 Wayside Rd Ste 400, L=Burlington, S=Massachusetts, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=5743582, OID.2.5.4.15=Private Organization"
- If you have trouble with using author, then you can try repository instead.