Nuget restore, package sources, authenticated feeds et al

Nuget (dotnet package manager) gotchas, tips and tricks

Default Package Cache


  1. Mac:
  1. Windows:
  1. Linux Same as Mac

Nuget.config location

  1. Mac Nuget uses this config:

dotnet add <Project> package uses config from here: (see github)

  1. Windows
  1. Linux Same as mac

Adding package feeds

  1. Using nuget command line
nuget sources Add -Name "Feed Name" -Source "https://feed-url/nuget/v3/index.json" -Username "Username" -Password "password-or-personal-access-token"
  1. Using IDE
  • Rider: can add both authenticated as well as public feeds
  • Visual Studio: can add only public feeds through UI. use command line to add authenticated feeds.
  • VS Code: Add feeds through command line. Then tasks can be used to run restore.

Restoring packages

  1. .NET Core
$ dotnet restore

$ dotnet restore path/MyProject.csproj

# OR
$ dotnet restore MySolution.sln
  • using settings from a custom Nuget.config
$ dotnet restore --configfile NuGet.config 
  1. Using Nuget commandline
$ nuget restore
  1. Adding an autheticated feed using NuGet.config file

Add a section like so:

        <add key="" value="" protocolVersion="3" />
        <add key="Contoso" value="" />
        <add key="Test Source" value="c:\packages" />
            <add key="Username" value="" />
            <add key="Password" value="..." />
            <add key="Username" value="user" />
            <add key="Password" value="..." />

Other common operations using command line

  1. List added sources
nuget sources list
  1. List packages from a named source
# NOTE: SourceName is the URL!!!
nuget list -source SourceName
  1. Remove a package source
nuget sources remove -name <name-here>

The mysterious case of authenticated feeds

When working with an a package feed that requires credentials (userid/password or a personal access token), beware of these gotchas!

  1. As of 14-02-2019, dotnet add command cannot read encrypted credentials from Nuget.config. That leaves us with the following options:

1.1. Use Nuget to add package from command line:

nuget install <package>

This will read sources from the config file for the platform in question (Mac/Linux/Windows) explained at the top of this note (see Nuget config location)

1.2. If you want to use dotnet CLI, Create a Nuget.config file that stores password in clear text. See above for the structure of the file. This file may be stored in the solution directory and it would be auto-detected by dotnet. see here. Then add package:

dotnet add <project> package --source <source-url> package-name

NOTE: If the local package cache is populated, subsequent dotnet restore would not break on an authenticated feed.

  1. When using an artefact feed from Azure DevOps, the restore task is able to use authenticted feeds by using service principal based authenitication. see docs here