Nuget.org is now able to allow for authors of a Nuget package to sign their packages so that users of the package can verify that the package has not been tampered with and it builds in some authentication of the author of who made the package. Here is the blog announcing this.
It sounds like anything new will require the package to be signed but the past packages will not be signed. Is this correct? How can I know that a package has been signed?
I am using Visual Studio 2017 above the version 15.8.5 and Nuget Package Manager 4.6.0
No, there is no requirement for packages to be author signed to upload to nuget.org. There are some more docs on signed packages, including the reference page and signing packages.
NuGet.org will also sign packages. Most popular packages are already repository signed at the time I'm writing this, and all other packages will eventually be repo signed. Yes, there's a difference between author signature and repo signature, so some packages will have two signatures.
To check if a packaged is signed or not, you can follow these instructions. Or open the package in NuGet Package Explorer, although you need to know what to look for, as I'm not sure there's anything that explicitly says unsigned. Or you can open the nupkg with any program that knows zips (or if it's a package you've already restored, go to the folder in your global packages folder %USERPROFILE%\.nuget\packages and look for a file named .signature.p7s.
Related
Let's say I have a nuget package in my Nexus repository called MyPackage.1.0.0. I also have a solution in Visual Studio that has MyPackage.1.0.0 installed. If I make a change to my nuget package in Nexus but I don't change the version number, what happens in Visual Studio? Will Visual Studio know that the installed package is outdated? Will it automatically download the new version next time the solution is built?
No, Visual Studio will not detect this and will not use the updated package. Also, if you are using package reference nuget package management format, the package once installed gets extracted to the global packages folder. If you now try to install this package in a completely different project, nuget first looks in this global packages folder and if it finds it which it will, it will use it and not go to package sources to retrieve it again.
You can clear the local nuget caches by calling
nuget locals all -clear
from the command line.
After that, all packages will be downloaded again. This may be acceptable during development (i.e. if you need to tweak your package until it works), but clearly is not an option if others are using the same version already.
Does NuGet support global package installation like NPM and Composer? If so, how do I do that? Also, how do I reference globally installed packages in my Visual Studio projects?
So learning from #Lance's tips, I went ahead and checked %userprofile%\.nuget\packages folder, and indeed it contains all the packages that I have downloaded in the past. Unfortunately though, Visual Studio (I'm using Community 2019) does not allow you to install any of these packages into a new project. The Browse page in NuGet Package Manager UI displays online results only from nuget.org.
But then I found another clue. In Visual Studio Tools > Options > NuGet Package Manager > Package Sources, you can add custom sources. So I went ahead and added my cache folder as an alternate source.
Note that there is a separate "Machine-wide package sources" entry too that cannot be modified. I checked that folder and it contains mostly Microsoft's own packages (one exception that I found there was NewtonSoft.json). I have no idea how this folder is different from the nuget cache folder and how I can download a package to this folder.
So far so good. The Package Manager now shows all previously downloaded packages from cache when I select this source from the drop down (sources dropdown is in top-right corner). I can then select a package and install it from local source instead of downloading it from the Internet.
Hope this helps someone down the line.
I dont do this very often so excuse me the question is so basic.
I found an example of parallax effect online I wanted to test.
called paroller.js
So the site offered for me to download their package and I did, its now on my desktop.
And now I have no idea how to include this in my solution, I went to nuget package manager to search for it, but cannot find it.
Link to where i got it from: https://tgomilar.github.io/paroller.js/
I tried using the nuget package manager, and I googled a million different ways to install packages into solutions and all want me to use the package manager
The only thing that nuget does is to download the files build them ( if needed) and add the required references. So, you apparently want to add a js lib. You should look for the dist folder in the package that you want and import it in your page.
Note if there is not dist folder you may need to build the package which is not that simple.
In Visual Studio's NuGet Package Manager, you can view which NuGet packages have been installed in a solution by clicking the "Installed" tab in the package manager.
However, in situations where the same package is in multiple NuGet Package Sources, it would be useful to see which package source a particular NuGet package has come from. Is there a way to see this in the NuGet Package Manager, or any where else in VS?
Edit:
Copying in my comment below for clarification:
I'm creating a project using a preexisting one as a model. Both projects will need to reference the same Nuget packages, so I open up the model project in Visual Studio, open the Nuget Package Manager, and look at its installed packages. The model project has "PackageA" installed. I open the new project, open the Nuget Package Manager for it, and Browse for "PackageA". I notice that "PackageA" is available in multiple Package Sources. (These are internal to my company, not nuget,org) In my new project, I'd like to install "PackageA" from the same Package Source as the model project
Is there a way to view which package source an installed NuGet package is from, in Visual Studio?
The simple answer is No. That is because the information about which NuGet packages have been installed in a solution by in the "Installed" tab in the package manager is based on the packages.config file. There are only package ID, version, targetFramework options in that file, so we could get the NuGet Package Sources info in the package manager based on the Packages.config.
Besides, when we use NuGet to manage our packages, NuGet will download the packages from the NuGet Package Sources and set those packages into the Packages folder in the solution folder. What we have to do next are related to the packages in the Packages folder rather than NuGet Package Sources (except NuGet restore, Restore just download the packages from NuGet Package Sources). So we could not find the package source only be based on a package which has been downloaded already without package source info in the Package.config.
What`s more, when we use NuGet to download the packages, NuGet will search the NuGet Package Sources one by one to download, NuGet could not be smart to store the Package Sources where each package download from.
I'd like to install "PackageA" from the same Package Source as the model project
To resolve this question, you can open the Packages folder, copy "PackagesA", set it to the NuGet Package Source which you want to use, then install "PackageA" from that Package Source, you will get the same package as the model project.
You asked for it! It just took 4.5 years.
Now (.NET 6 tooling) you do have a way to configure packages sources which is also called package source mapping:
https://www.youtube.com/watch?v=G6P38Dn69Ro
https://devblogs.microsoft.com/nuget/introducing-package-source-mapping/
I've added some libraries to a VS 2010 solution using Nuget (RestSharp, Twilio, etc.). When I pull the same solution down to a new PC from TFS and try to build it, all the references to those assemblies are broken (error "namespace cannot be found..."). Is it necessary for each developer who works on this VS solution for the first time to independently install the same Nuget packages on their PCs?
Thanks,
Jim
As Andrew already have said it's all about the packages' location.
Either you have to check in the entire packages folder with all the packages, or each developer have to install the packages after first checking out. But there is a better way to do this, namely to use NuGet Package Restore - which will automatically install all missing packages when the project is built.
If you use package restore, you only need to check in the repositories.config into your VCS. With TFS you can cloak the entire packages folder except for the repositories.config, so that TFS doesn't annoy with pending checkins for new packages.
Also see this answer for guidance on how to use TFS + NuGet.
No, but you need to be sure the assemblies are all included in the same relative path so Visual Studio can find them. You can include the solution's nuget packages directories, which is where I think it stores a copy of the libraries to be referenced by the project(s).
Incidentally, including said diretories may be effectively the same as "installing the packages". If you include all the files that NuGet uses in its management of packages, NuGet will behave the same as if you had installed them. But you don't need to do the actual package install via NuGet for it to work... or even have NuGet installed in Visual Studio in the first place. It's just a matter of the proper files being where the Visual Studio project files expect them to be.