1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
//===----------------------------------------------------------------------===//
//
// This source file is part of the Swift open source project
//
// Copyright (c) 2014-2023 Apple Inc. and the Swift project authors
// Licensed under Apache License v2.0 with Runtime Library Exception
//
// See http://swift.org/LICENSE.txt for license information
// See http://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
//
//===----------------------------------------------------------------------===//
import enum PackageFingerprint.FingerprintCheckingMode
import struct PackageGraph.ModulesGraph
import struct PackageModel.PackageIdentity
import struct PackageModel.RegistryReleaseMetadata
import enum PackageSigning.SigningEntityCheckingMode
extension FingerprintCheckingMode {
static func map(_ checkingMode: WorkspaceConfiguration.CheckingMode) -> FingerprintCheckingMode {
switch checkingMode {
case .strict:
return .strict
case .warn:
return .warn
}
}
}
extension SigningEntityCheckingMode {
static func map(_ checkingMode: WorkspaceConfiguration.CheckingMode) -> SigningEntityCheckingMode {
switch checkingMode {
case .strict:
return .strict
case .warn:
return .warn
}
}
}
// MARK: - Signatures
extension Workspace {
func validateSignatures(
packageGraph: ModulesGraph,
expectedSigningEntities: [PackageIdentity: RegistryReleaseMetadata.SigningEntity]
) throws {
try expectedSigningEntities.forEach { identity, expectedSigningEntity in
if let package = packageGraph.package(for: identity) {
guard let actualSigningEntity = package.registryMetadata?.signature?.signedBy else {
throw SigningError.unsigned(package: identity, expected: expectedSigningEntity)
}
if actualSigningEntity != expectedSigningEntity {
throw SigningError.mismatchedSigningEntity(
package: identity,
expected: expectedSigningEntity,
actual: actualSigningEntity
)
}
} else {
guard let mirror = self.mirrors.mirror(for: identity.description) else {
throw SigningError.expectedIdentityNotFound(package: identity)
}
let mirroredIdentity = PackageIdentity.plain(mirror)
guard mirroredIdentity.isRegistry else {
throw SigningError.expectedSignedMirroredToSourceControl(
package: identity,
expected: expectedSigningEntity
)
}
guard let package = packageGraph.package(for: mirroredIdentity) else {
// Unsure if this case is reachable in practice.
throw SigningError.expectedIdentityNotFound(package: identity)
}
guard let actualSigningEntity = package.registryMetadata?.signature?.signedBy else {
throw SigningError.unsigned(package: identity, expected: expectedSigningEntity)
}
if actualSigningEntity != expectedSigningEntity {
throw SigningError.mismatchedSigningEntity(
package: identity,
expected: expectedSigningEntity,
actual: actualSigningEntity
)
}
}
}
}
public enum SigningError: Swift.Error {
case expectedIdentityNotFound(package: PackageIdentity)
case expectedSignedMirroredToSourceControl(
package: PackageIdentity,
expected: RegistryReleaseMetadata.SigningEntity
)
case mismatchedSigningEntity(
package: PackageIdentity,
expected: RegistryReleaseMetadata.SigningEntity,
actual: RegistryReleaseMetadata.SigningEntity
)
case unsigned(package: PackageIdentity, expected: RegistryReleaseMetadata.SigningEntity)
}
}
|
