Package signatures
Starting with Unity 6.3, the Package Manager checks for digital package signatures on all tarball packages used in the Unity ecosystem.
A package signature is a cryptographic identifier that helps verify where a package came from and ensures it wasn’t changed after the developer created it. Package signatures make it easier for everyone to confirm a package’s origin and integrity, and spot any unauthorized changes or tampering. The recommended best practice is for all publishers to sign their packages. Taking this simple step helps members of the Unity community feel more confident when using your packages.
When you try to install a registry package that has signature issues, the Package Manager window flags that package. The following table explains each flag and how you can resolve it.
| Icon | Description | Recommended action |
|---|---|---|
 |
This package has a signature, but the signature is invalid. This might indicate that the package has been tampered with, is unsafe, or malicious. | Consider removing this package from your project. |
 |
This package lacks a signature. Unity can’t verify this package. To protect your project, the recommended best practice is to use only signed packages. | As a package consumer, ask the package owner to publish a version of the package with a signature, then install the signed version. As a package publisher, sign your package, then distribute the signed version. |