Include signing entity in version metadata

Clients who are asking for metadata prior to download an archive from the registry may still want to display information from the signature which is non-trivial to extract. This includes it if possible.

Author: neonichu

Sources/PackageMetadata/PackageMetadata.swift

@@ -20,6 +20,7 @@ import SourceControl
 import struct Foundation.URL
 import struct TSCBasic.AbsolutePath
 import protocol TSCBasic.FileSystem
+import var TSCBasic.localFileSystem
 import func TSCBasic.withTemporaryDirectory
 import struct TSCUtility.Version
 
@@ -87,6 +88,7 @@ public struct PackageSearchClient {
         self.registryClient.getPackageVersionMetadata(
             package: package,
             version: version,
+            fileSystem: localFileSystem,
             observabilityScope: observabilityScope,
             callbackQueue: DispatchQueue.sharedConcurrent
         ) { result in

Sources/PackageRegistry/RegistryClient.swift

@@ -266,6 +266,7 @@ public final class RegistryClient: Cancellable {
         package: PackageIdentity,
         version: Version,
         timeout: DispatchTimeInterval? = .none,
+        fileSystem: FileSystem,
         observabilityScope: ObservabilityScope,
         callbackQueue: DispatchQueue,
         completion: @escaping (Result<PackageVersionMetadata, Error>) -> Void
@@ -286,6 +287,7 @@ public final class RegistryClient: Cancellable {
                 package: registryIdentity,
                 version: version,
                 timeout: timeout,
+                fileSystem: fileSystem,
                 observabilityScope: observabilityScope,
                 callbackQueue: callbackQueue,
                 completion: completion
@@ -314,6 +316,7 @@ public final class RegistryClient: Cancellable {
         package: PackageIdentity.RegistryIdentity,
         version: Version,
         timeout: DispatchTimeInterval?,
+        fileSystem: FileSystem,
         observabilityScope: ObservabilityScope,
         callbackQueue: DispatchQueue,
         completion: @escaping (Result<PackageVersionMetadata, Error>) -> Void
@@ -343,6 +346,22 @@ public final class RegistryClient: Cancellable {
                                         signatureBase64Encoded: $0.signatureBase64Encoded,
                                         signatureFormat: $0.signatureFormat
                                     )
+                                },
+                                signingEntity: $0.signing.flatMap {
+                                    guard let signatureData = Data(base64Encoded: $0.signatureBase64Encoded) else {
+                                        return nil
+                                    }
+                                    guard let signatureFormat = SignatureFormat(rawValue: $0.signatureFormat) else {
+                                        return nil
+                                    }
+                                    let configuration = self.configuration.signing(for: package, registry: registry)
+                                    return try? tsc_await { SignatureValidation.extractSigningEntity(
+                                        signature: [UInt8](signatureData),
+                                        signatureFormat: signatureFormat,
+                                        configuration: configuration,
+                                        fileSystem: fileSystem,
+                                        completion: $0
+                                    ) }
                                 }
                             )
                         },
@@ -501,6 +520,7 @@ public final class RegistryClient: Cancellable {
             package: package,
             version: version,
             timeout: timeout,
+            fileSystem: localFileSystem,
             observabilityScope: observabilityScope,
             callbackQueue: callbackQueue
         ) { result in
@@ -733,6 +753,7 @@ public final class RegistryClient: Cancellable {
             package: package,
             version: version,
             timeout: timeout,
+            fileSystem: localFileSystem,
             observabilityScope: observabilityScope,
             callbackQueue: callbackQueue
         ) { result in
@@ -950,6 +971,7 @@ public final class RegistryClient: Cancellable {
             package: package,
             version: version,
             timeout: timeout,
+            fileSystem: fileSystem,
             observabilityScope: observabilityScope,
             callbackQueue: callbackQueue
         ) { result in
@@ -1839,12 +1861,14 @@ extension RegistryClient {
             public let type: String
             public let checksum: String?
             public let signing: Signing?
+            public let signingEntity: SigningEntity?
 
-            public init(name: String, type: String, checksum: String?, signing: Signing?) {
+            public init(name: String, type: String, checksum: String?, signing: Signing?, signingEntity: SigningEntity?) {
                 self.name = name
                 self.type = type
                 self.checksum = checksum
                 self.signing = signing
+                self.signingEntity = signingEntity
             }
         }
 

Sources/PackageRegistry/SignatureValidation.swift

@@ -513,6 +513,30 @@ struct SignatureValidation {
             }
         }
     }
+
+    // MARK: - signing entity
+
+    static func extractSigningEntity(
+        signature: [UInt8],
+        signatureFormat: SignatureFormat,
+        configuration: RegistryConfiguration.Security.Signing,
+        fileSystem: FileSystem,
+        completion: @Sendable @escaping (Result<SigningEntity?, Error>) -> Void
+    ) {
+        Task {
+            do {
+                let verifierConfiguration = try VerifierConfiguration.from(configuration, fileSystem: fileSystem)
+                let signingEntity = try await SignatureProvider.extractSigningEntity(
+                    signature: signature,
+                    format: signatureFormat,
+                    verifierConfiguration: verifierConfiguration
+                )
+                return completion(.success(signingEntity))
+            } catch {
+                return completion(.failure(error))
+            }
+        }
+    }
 }
 
 extension VerifierConfiguration {

Sources/PackageSigning/SignatureProvider.swift

@@ -55,6 +55,18 @@ public enum SignatureProvider {
             observabilityScope: observabilityScope
         )
     }
+
+    public static func extractSigningEntity(
+        signature: [UInt8],
+        format: SignatureFormat,
+        verifierConfiguration: VerifierConfiguration
+    ) async throws -> SigningEntity {
+        let provider = format.provider
+        return try await provider.extractSigningEntity(
+            signature: signature,
+            verifierConfiguration: verifierConfiguration
+        )
+    }
 }
 
 public struct VerifierConfiguration {
@@ -162,6 +174,11 @@ protocol SignatureProviderProtocol {
         verifierConfiguration: VerifierConfiguration,
         observabilityScope: ObservabilityScope
     ) async throws -> SignatureStatus
+
+    func extractSigningEntity(
+        signature: [UInt8],
+        verifierConfiguration: VerifierConfiguration
+    ) async throws -> SigningEntity
 }
 
 // MARK: - CMS signature provider
@@ -232,34 +249,66 @@ struct CMSSignatureProvider: SignatureProviderProtocol {
         }
     }
 
+    private func isValidSignature(
+        signature: [UInt8],
+        content: [UInt8],
+        verifierConfiguration: VerifierConfiguration
+    ) async throws -> CMS.SignatureVerificationResult {
+        var trustRoots: [Certificate] = []
+        if verifierConfiguration.includeDefaultTrustStore {
+            trustRoots.append(contentsOf: CertificateStores.defaultTrustRoots)
+        }
+        trustRoots.append(contentsOf: try verifierConfiguration.trustedRoots.map { try Certificate($0) })
+
+        return await CMS.isValidSignature(
+            dataBytes: content,
+            signatureBytes: signature,
+            // The intermediates supplied here will be combined with those
+            // included in the signature to build cert chain for validation.
+            //
+            // Those who use ADP certs for signing are not required to provide
+            // the entire cert chain, thus we must supply WWDR intermediates
+            // here so that the chain can be constructed during validation.
+            // Whether the signing cert is trusted still depends on whether
+            // the WWDR roots are in the trust store or not, which by default
+            // they are but user may disable that through configuration.
+            additionalIntermediateCertificates: Certificates.wwdrIntermediates,
+            trustRoots: CertificateStore(trustRoots),
+            policy: self.buildPolicySet(configuration: verifierConfiguration, httpClient: self.httpClient)
+        )
+    }
+
+    func extractSigningEntity(
+        signature: [UInt8],
+        verifierConfiguration: VerifierConfiguration
+    ) async throws -> SigningEntity {
+        let result = try await isValidSignature(
+            signature: signature,
+            content: [],
+            verifierConfiguration: verifierConfiguration
+        )
+
+        switch result {
+        case .success(let valid):
+            return SigningEntity.from(certificate: valid.signer)
+        case .failure(CMS.VerificationError.unableToValidateSigner(let invalid)):
+            return  SigningEntity.from(certificate: invalid.signer)
+        case .failure(let error):
+            throw error
+        }
+    }
+
     func status(
         signature: [UInt8],
         content: [UInt8],
         verifierConfiguration: VerifierConfiguration,
         observabilityScope: ObservabilityScope
     ) async throws -> SignatureStatus {
         do {
-            var trustRoots: [Certificate] = []
-            if verifierConfiguration.includeDefaultTrustStore {
-                trustRoots.append(contentsOf: CertificateStores.defaultTrustRoots)
-            }
-            trustRoots.append(contentsOf: try verifierConfiguration.trustedRoots.map { try Certificate($0) })
-
-            let result = await CMS.isValidSignature(
-                dataBytes: content,
-                signatureBytes: signature,
-                // The intermediates supplied here will be combined with those
-                // included in the signature to build cert chain for validation.
-                //
-                // Those who use ADP certs for signing are not required to provide
-                // the entire cert chain, thus we must supply WWDR intermediates
-                // here so that the chain can be constructed during validation.
-                // Whether the signing cert is trusted still depends on whether
-                // the WWDR roots are in the trust store or not, which by default
-                // they are but user may disable that through configuration.
-                additionalIntermediateCertificates: Certificates.wwdrIntermediates,
-                trustRoots: CertificateStore(trustRoots),
-                policy: self.buildPolicySet(configuration: verifierConfiguration, httpClient: self.httpClient)
+            let result = try await isValidSignature(
+                signature: signature,
+                content: content,
+                verifierConfiguration: verifierConfiguration
             )
 
             switch result {

Sources/PackageSigning/SigningEntity/SigningEntity.swift

@@ -15,7 +15,7 @@
 
 // MARK: - SigningEntity is the entity that generated the signature
 
-public enum SigningEntity: Hashable, Codable, CustomStringConvertible {
+public enum SigningEntity: Hashable, Codable, CustomStringConvertible, Sendable {
     case recognized(type: SigningEntityType, name: String, organizationalUnit: String, organization: String)
     case unrecognized(name: String?, organizationalUnit: String?, organization: String?)