NuGet Package Restore using solution-specific NuGet.config

2 minute read

In my post on how to restore packages from a secured feed, I already anticipated an important fix in the upcoming 2.2 release of NuGet to further facilitate this using hierarchical config files. Well, today, that 2.2 version got released, so let's take a look at the hierarchical config approach in more detail.

The hierarchical configuration feature allows you to have a solution-level NuGet.config file which should be taken into account during package restore. For feed credentials, this wasn't the case until now.

When enabling NuGet package restore, you'll notice a .nuget folder is created in the solution directory. Inside that folder resides the solution-level NuGet.config. This config file can be used to deviate from the global NuGet.config file you'll find in your roaming user profile: %appdata%\NuGet\NuGet.config.

Now imagine you want to restore NuGet packages from a secured feed, for instance from https://www.myget.org/F/mysecuredfeed/, or any feed requiring basic authentication using a username and a password.

You'll need to point NuGet to this feed URL and provide the required credentials. There are only a few options, but as of today, when using v2.2 of NuGet, you might want to prefer this one.

In the .nuget\NuGet.targets (MSBuild) file, ensure package restore is pointing to your secured feed. Look for this ItemGroup section and add it in there:

<ItemGroup Condition=" '$(PackageSources)' == '' ">
    <!-- Package sources used to restore packages. By default, registered sources under %APPDATA%\NuGet\NuGet.Config will be used -->
    <!-- The official NuGet package source (https://nuget.org/api/v2/) will be excluded if package sources are specified and it does not appear in the list -->
    <!--
        <PackageSource Include="https://nuget.org/api/v2/" />
    -->
    <PackageSource Include="http://www.myget.org/F/mysecuredfeed/" />
</ItemGroup>

By default, the solution-level NuGet.config file looks like this:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <solution>
    <add key="disableSourceControlIntegration" value="true" />
  </solution>
</configuration>

We need to somehow add the feed credentials in there. I haven't found a straightforward way of doing so, other than the following one:

  1. Ensure the feed is registered in your global NuGet.config by running
    nuget sources add -name "My Secured Feed" -source https://www.myget.org/F/mysecuredfeed/.
  2. Next, register the feed credentials in the global NuGet.config by running
    nuget sources update -Name "My Secured Feed" -User <username> -Pass <password>.
  3. Open the global NuGet.config file (located in %appdata%\NuGet\NuGet.config) in a text editor, and copy the packageSourceCredentials section (only include the feed credential child-nodes you need for your solution). You'll notice the password is stored in an encrypted format.
  4. Open your solution-level NuGet.config file (located in $(SolutionDir)\.nuget\NuGet.config), and paste the packageSourceCredentials section into the configuration root of the XML file.

Your solution-level NuGet.config should now look similar to the following:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <solution>
    <add key="disableSourceControlIntegration" value="true" />
  </solution>
  <packageSourceCredentials>
    <My_x0020_Secured_x0020_Feed>
      <add key="Username" value="username" />
      <add key="Password" value="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAtA/nIrdkAEaYf19cCBs6wgAAAAACAAAAAAAQZgAAAAEAACAAAABCszDHAgQ2OZASfFIGGmQKUTa4SwEqM9erKl1WoHsZDAAAAAAOgAAAAAIAACAAAACMsh26fEmwHSPz3DTzcEGuk+V/CjlAZWb2s5t2Tcr22BAAAADrMOh0Yn8FaydTiyWKIWD9QAAAAB9o2+fEdSaztWNgzjU1eBnI/aOjR95kKaJYMqF2d3LaOri6QUZ40Zm9kqa0RC/DkTTSMAr5DOES2dt0OmdiNi0=" />
    </My_x0020_Secured_x0020_Feed>
  </packageSourceCredentials>
</configuration>

Et voilĂ !

That's all folks, happy packaging!

Leave a Comment