.NET 6 will shift to a new signing certificate for some components

[mmitche]

.NET 6 will shift to a new signing certificate for many of its core binaries. This shift is intended to make it easier for Windows Defender Application Control (WDAC) customers to choose whether to allow .NET 6 and beyond on their environments, without the side effects a key shared between multiple products might have.

Details

Today Microsoft signs .NET artifacts with a variety of certificates. For example, NuGet packages, 3rd party binaries redistributed with .NET, Visual Studio extension packages, and some specialized debugging related binaries all have different certificates. The most common certificate is Microsoft Corporation, with issuer Microsoft Code Signing PCA 2011 and thumbprint abdca79af9dd48a0ea702ad45260b3c03093fb4b, used to sign most executable files. .NET is switching to .NET, with issuer Microsoft Code Signing PCA 2011 and thumbprint 60ff375e5669b98d43ea0e2328e618cf73c0f91d.

Not all binaries signed with Microsoft Corporation are shifting to the new certificate. .NET repackages a variety of assets from previous releases (e.g. targeting packs), and those will not change. Only newly built .NET 6 binaries will get the new certificate. Some tooling utilized in Visual Studio will remain on the existing cert.

Discussion

Questions or concerns? Please discuss at dotnet/runtime#51967