I've previously blogged about setting up ProGet and then written about the changes in ProGet Version 4. This post is a small update to them. While nothing from the setup side has changed, there have been updates to the way feeds work and you have to migrate legacy feeds to the new format.

Previously, I've recommended to configure an API key that is used for pushing changes. Having had such a key made unauthorized operations on the feed impossible, and hence required either the key itself or user credentials. Requests using the API Key were considered to be from the Anonymous, meaning unauthenticated, user. This should still be the case when you upgrade and don't migrate legacy feeds, but you have probably configured package publishing permissions for the "Anonymous" user when you've worked with API keys.

This becomes a problem once you do upgrade! Feeds no longer have a dedicated API key, but the permission for Anonymous to publish packages stays in place. I've found no mentioning of it in the docs, so please be careful when you migrate feeds from the legacy format to check if you have any open permissions left.

With the latest feeds, I also no longer recommend using an API key but instead to create a dedicated user with push access. ProGet stores API keys in plaintext, which is something you should avoid to use if possible. With an user account, you can use it's username:password instead of the key. To do so, create an user via the admin interface and then switch to Tasks where you should assign both Publish Packages and View & Download Packages permissions to the user:

The View & Download Packages permission is not required in all cases, but some (older) NuGet clients do make a GET request to the feed before they publish a package and hence may need permission to view packages.

Happy publishing!