Much like the concept of Verified Twitter accounts, NuGet.org should be able to verify that packages come from a known author. This mechanism would be optional and opt-in.

There have been incidents of copycat packages uploaded and it can be hard to know which is the right/official package.

Here's a multi-pronged starting point for discussion:

Verified authors. Package author name should be tied to a code signing certificate(s) and identity. Let the existing PKI system deal with verifying identities.

Ability to sign/timestamp NuGet packages and have the NuGet clients validate signatures.

Profile indicator on NuGet.org that an author is verified. Verified accounts would be required to provide the public key from the code sign certs they use. Verified accounts should require that all packages they upload be signed.

The NuGet UI should have some visual indicator that the author is verified and display the verified CN/attributes.

This would help prevent fake/duplicate/misleading packages from being confused with real ones. Even if the account is verified, the author won't match. I.e., no one else will have a Microsoft verified account.

This also helps establish a chain of trust/custody for tracing incidents should any arise. Packages can contain executable code, like ps1 scripts, targets files, or even moduleinit's in dlls. An extra layer of tracability can help mitigate risks.

Bonus: with signed nupkgs, the API key is no longer needed to upload packages; the upload mechanism could just verify the signature of the package and match it to the right account. Or perhaps keep the api key and validate anyway.

This issue was brought up a few days ago in another forum by @raffaeler. I've expanded on it and posted it here for broader discussion.