Skip to content

[Breaking change]: DSA has been removed from macOS #48201

New issue
New issue
Open
Open
[Breaking change]: DSA has been removed from macOS#48201
Assignees
gewarren
Labels
⌚ Not TriagedNot triagedbreaking-changeIndicates a .NET Core breaking change
@vcsjones

Description

@vcsjones
vcsjones
opened on Aug 30, 2025

Description

The Digital Signature Algorithm (DSA) has been removed from macOS. This only impacts "finite field" DSA. Elliptic Curve DSA (EC-DSA) is not affected.

Version

.NET 11 Preview 1

Previous behavior

The DSA algorithm and its supporting types, DSA, DSACryptoServiceProvider and X.509 certificates with DSA keys would function on macOS.

New behavior

DSA is no longer functional on macOS. Attempts to use DSA. DSACryptoServiceProvider, or other APIs that interact with DSA will throw PlatformNotSupportedException.

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

.NET on macOS relies on the operating system to provide an implementation of DSA. Apple did this through a now obsolete library called SecurityTransforms, with no replacement. The implementation that Apple did offer was also limited in functionality. It only supported DSA-1024 with SHA-1 which is considered weak. Further, it never supported generating DSA keys.

iOS, tvOS, and MacCatalyst never supported DSA.

Recommended action

Migrate away from the DSA algorithm and use a modern cryptographic digital signature algorithm such as EC-DSA.

Feature area

Cryptography

Affected APIs

  • M:System.Security.Cryptography.DSA.Create (all overloads)
  • M:System.Security.Cryptography.DSACryptoServiceProvider.#ctor (all overloads)
  • M:System.Security.Cryptography.X509Certificates.DSACertificateExtensions.GetDSAPrivateKey (all overloads)
  • M:System.Security.Cryptography.X509Certificates.DSACertificateExtensions.GetPublicKey (all overloads)
  • M:System.Security.Cryptography.X509Certificates.DSACertificateExtensions.GetDSAPrivateKey (all overloads)
  • M:System.Security.Cryptography.X509Certificates.DSACertificateExtensions.CopyWithPrivateKey (all overloads)

Additionally, any APIs that interact with DSA keys.

Metadata

Metadata

Assignees

Labels

⌚ Not TriagedNot triagedbreaking-changeIndicates a .NET Core breaking change

Type

No type

Projects

dotnet/docs December 2025 sprint

Status

🔖 Ready

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions