nuget package integrity validation

Topics: General
Jan 14, 2015 at 3:50 PM
I work in an environment where we need to ensure our 3rd party installed packages can be validated that they came from a trusted source. I know there is a packagehash field in the atom stream. I mainly need to verify that the downloaded package hasn't been tampered with.

My questions, which I can't find an answer, are:
  • Is this hash required for every package, and more specifically, do all packages hosted on nuget.org contain this hash?
  • Does the Visual Studio Nuget package manager always validate the package against this hash when a new package is installed locally?
  • Are there any other validation routines that I should be using to ensure package integrity.
Thank you for your help in advance!
Jan 27, 2015 at 9:19 PM
bump