# 错误 NU3018: 来自源 'nuget.org' 的包 'PackageName 1.0.0' 未由受信任的签名者签名。

- **ID:** `dotnet/nuget-package-signature-verification`
- **领域:** dotnet
- **类别:** install_error
- **错误码:** `NU3018`
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

NuGet 包签名验证失败，因为包使用不受信任的证书签名，或 nuget.config 中的受信任签名者列表配置错误。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| NuGet 5.11.x | active | — | — |
| NuGet 6.0.x | active | — | — |
| NuGet 6.3.x | active | — | — |
| NuGet 6.4.x | active | — | — |

## 解决方案

1. ```
   Add the package's signing certificate to trusted signers with proper certificate fingerprint verification.
   ```
2. ```
   Disable signature validation for specific package sources in nuget.config by setting signatureValidationMode to 'accept' only for that source.
   ```
3. ```
   Use NuGet's repository signature verification by adding the repository's service index as trusted signer.
   ```

## 无效尝试

- **** — Setting signatureValidationMode to 'accept' globally reduces security and may violate organizational policy. (95% 失败率)
- **** — Removing all trusted signers from nuget.config still requires package to be signed by a trusted root. (90% 失败率)
- **** — Adding the package author's certificate as trusted signer without verifying chain can still fail if certificate is revoked. (80% 失败率)