Code Signing

Every EPPlus release is digitally signed with a code-signing certificate issued by GlobalSign to EPPlus Software AB. This applies to all distributed assemblies as well as the NuGet package itself, and allows you to independently verify that what you are using was built and published by us.

Why we sign our releases

Software supply chain attacks — where an attacker tampers with a package between the publisher and the end user — are a growing threat. A digital signature provides a cryptographic guarantee that the file you have downloaded is identical to what we built and released. It also confirms the identity of the publisher: the signature can only have been created by the holder of a certificate issued to EPPlus Software AB by a trusted certificate authority. If a file has been modified after signing, or if it was never signed by us, verification will fail.

What is signed

All assemblies included in an EPPlus release are signed across every supported target framework. The NuGet package is signed separately as a package-level signature, which covers the entire package contents.

The exact set of assemblies and target frameworks included in a given release is listed in the Software Bill of Materials for that release.

Certificate

The signing certificate is issued by GlobalSign, a globally trusted certificate authority. The certificate is securely stored in a hardware-backed key store and is only accessed as part of our automated release pipeline — the private key never leaves the secure environment.

Issued to	EPPlus Software AB
Issued by	GlobalSign GCC R45 CodeSigning CA 2020
Digest algorithm	SHA-256
Timestamp authority	GlobalSign TSA for Advanced - G4

All signatures include a trusted timestamp from GlobalSign. This ensures that signatures remain verifiable even after the signing certificate is renewed, as long as the signature was created during the certificate's validity period. Note that the certificate details above reflect the current signing certificate — issuer and timestamp authority may change at renewal.

NuGet repository countersignature

In addition to our own author signature, NuGet.org automatically adds a repository countersignature when a package is published. This countersignature is issued by NuGet.org and confirms that the package was uploaded by the registered owners of the EPPlus package on NuGet.org. When you verify a package, you will see both signatures — the author signature from EPPlus Software AB and the repository countersignature from NuGet.org.

You can verify the registered owners of the EPPlus package independently on nuget.org/packages/EPPlus.

If verification fails

A failed verification means either that the file has been modified after it was signed, that the signature is missing, or that the certificate chain cannot be trusted. Do not use a package or assembly that fails verification. If you have reason to believe a published EPPlus release has been tampered with, please report it to us immediately.

See our Vulnerability Disclosure Policy for instructions on how to contact us.

Verify a release yourself

You can independently verify the signature on any EPPlus release using standard tooling, without relying on us.

Verifying the NuGet package

The most straightforward way to verify an EPPlus release is to verify the NuGet package signature using the .NET CLI. This works on Windows, Linux and macOS.

dotnet nuget verify EPPlus.<version>.nupkg --verbosity detailed

A successfully verified package will show both the author signature from EPPlus Software AB and the repository countersignature from NuGet.org:

X.509 certificate chain validation will use the default trust store selected by .NET for code signing.
X.509 certificate chain validation will use the default trust store selected by .NET for timestamping.

Verifying EPPlus.<version>
Signature Hash Algorithm: SHA256

Signature type: Author
Verifying the author primary signature with certificate:
  Subject Name: CN=EPPlus Software AB, O=EPPlus Software AB, L=Stockholm, C=SE
  Issued by: CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE

Signature type: Repository
Service index: https://api.nuget.org/v3/index.json
Owners: EPPlusSoftware, jankallman, swmal

Successfully verified package 'EPPlus.<version>'.

Verifying an assembly

On Windows, individual assemblies can also be verified directly using PowerShell. This validates both the cryptographic signature and the certificate trust chain using the Windows trust store.

Get-AuthenticodeSignature "path\to\EPPlus.dll" | Format-List *

A valid signature will show Status: Valid and a signer certificate issued to EPPlus Software AB by GlobalSign:

SignerCertificate : [Subject]
                     CN=EPPlus Software AB, O=EPPlus Software AB, L=Stockholm, C=SE
                   [Issuer]
                     CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                   ...
Status            : Valid
StatusMessage     : Signature verified.
SignatureType     : Authenticode

Assembly-level verification using PowerShell is only available on Windows. On Linux and macOS, we recommend verifying the NuGet package using dotnet nuget verify as described above, which works on all platforms.