# error NU3018: Package 'PackageName 1.0.0' from source 'nuget.org' is not signed by a trusted signer.

- **ID:** `dotnet/nuget-package-signature-verification`
- **Domain:** dotnet
- **Category:** install_error
- **Error Code:** `NU3018`
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

NuGet package signature verification fails because the package is signed with an untrusted certificate or the trusted signers list is misconfigured in nuget.config.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| NuGet 5.11.x | active | — | — |
| NuGet 6.0.x | active | — | — |
| NuGet 6.3.x | active | — | — |
| NuGet 6.4.x | active | — | — |

## Workarounds

1. **Add the package's signing certificate to trusted signers with proper certificate fingerprint verification.** (85% success)
   ```
   Add the package's signing certificate to trusted signers with proper certificate fingerprint verification.
   ```
2. **Disable signature validation for specific package sources in nuget.config by setting signatureValidationMode to 'accept' only for that source.** (75% success)
   ```
   Disable signature validation for specific package sources in nuget.config by setting signatureValidationMode to 'accept' only for that source.
   ```
3. **Use NuGet's repository signature verification by adding the repository's service index as trusted signer.** (80% success)
   ```
   Use NuGet's repository signature verification by adding the repository's service index as trusted signer.
   ```

## Dead Ends

- **** — Setting signatureValidationMode to 'accept' globally reduces security and may violate organizational policy. (95% fail)
- **** — Removing all trusted signers from nuget.config still requires package to be signed by a trusted root. (90% fail)
- **** — Adding the package author's certificate as trusted signer without verifying chain can still fail if certificate is revoked. (80% fail)