Package signatures
Starting with Unity 6.3, the Package Manager checks for digital package signatures on all tarball packages used in the Unity ecosystem.
A package signature is a cryptographic identifier that helps verify where a package came from and ensures it wasn’t changed after the developer created it. Package signatures make it easier for everyone to confirm a package’s origin and integrity, and spot any unauthorized changes or tampering. The recommended best practice is for all publishers to sign their packages. Taking this simple step helps members of the Unity community feel more confident when using your packages.
The Package Manager window shows the status of a package’s signature. If the package has signature issues, the Package Manager window flags that package. The following table explains each status and what you can do to resolve issues.
| Status icon | Contains a signature | Signing channel | Additional information | Recommended action |
|---|---|---|---|---|
 |
Yes | Official Unity channels or your own organization. | N/A | Package is safe to use in your project. |
 |
Yes | Public channel or an organization you don’t belong to. | Make sure you understand where the package originates from. | Use these packages only if you’re certain of their source. If possible, try to get added to the organization that signed the package. |
 |
Yes, but is invalid. | Various | An invalid signature might indicate that the package has been tampered with, is unsafe, or malicious. | Consider removing this package from your project. |
 |
No | N/A | To protect your project, the recommended best practice is to use only signed packages. | As a package consumer, ask the package owner to publish a version of the package with a signature, then install the signed version. As a package publisher, sign your package, then distribute the signed version. |