Skip to content

Commit 4be5cf4

Browse files
yim-leeyim-lee
authored
Add flag to skip signature validation (#6274)
* Add flag to skip signature validation Motivation: Need a way to disable signature validation Modifications: Add `--enable-signature-validation`/`--disable-signature-validation` flag to security options. Default is enabled. * return immediately if skip signature validation
1 parent 4da7c14 commit 4be5cf4

14 files changed

+114
-0
lines changed

Sources/CoreCommands/Options.swift

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,13 @@ public struct SecurityOptions: ParsableArguments {
228228

229229
@Option(name: .customLong("resolver-signing-entity-checking"))
230230
public var signingEntityCheckingMode: WorkspaceConfiguration.CheckingMode = .warn
231+
232+
@Flag(
233+
inversion: .prefixedEnableDisable,
234+
exclusivity: .exclusive,
235+
help: "Validate signature of a signed package release downloaded from registry"
236+
)
237+
public var signatureValidation: Bool = true
231238
}
232239

233240
public struct ResolverOptions: ParsableArguments {

Sources/CoreCommands/SwiftTool.swift

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -465,6 +465,7 @@ public final class SwiftTool {
465465
sharedDependenciesCacheEnabled: self.options.caching.useDependenciesCache,
466466
fingerprintCheckingMode: self.options.security.fingerprintCheckingMode,
467467
signingEntityCheckingMode: self.options.security.signingEntityCheckingMode,
468+
skipSignatureValidation: !self.options.security.signatureValidation,
468469
sourceControlToRegistryDependencyTransformation: self.options.resolver.sourceControlToRegistryDependencyTransformation.workspaceConfiguration,
469470
defaultRegistry: self.options.resolver.defaultRegistryURL.flatMap {
470471
// TODO: should supportsAvailability be a flag as well?

Sources/PackageRegistry/RegistryClient.swift

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ public final class RegistryClient: Cancellable {
4141
private let authorizationProvider: LegacyHTTPClientConfiguration.AuthorizationProvider?
4242
private let fingerprintStorage: PackageFingerprintStorage?
4343
private let fingerprintCheckingMode: FingerprintCheckingMode
44+
private let skipSignatureValidation: Bool
4445
private let signingEntityStorage: PackageSigningEntityStorage?
4546
private let signingEntityCheckingMode: SigningEntityCheckingMode
4647
private let jsonDecoder: JSONDecoder
@@ -60,6 +61,7 @@ public final class RegistryClient: Cancellable {
6061
configuration: RegistryConfiguration,
6162
fingerprintStorage: PackageFingerprintStorage?,
6263
fingerprintCheckingMode: FingerprintCheckingMode,
64+
skipSignatureValidation: Bool,
6365
signingEntityStorage: PackageSigningEntityStorage?,
6466
signingEntityCheckingMode: SigningEntityCheckingMode,
6567
authorizationProvider: AuthorizationProvider? = .none,
@@ -97,6 +99,7 @@ public final class RegistryClient: Cancellable {
9799
self.archiverProvider = customArchiverProvider ?? { fileSystem in ZipArchiver(fileSystem: fileSystem) }
98100
self.fingerprintStorage = fingerprintStorage
99101
self.fingerprintCheckingMode = fingerprintCheckingMode
102+
self.skipSignatureValidation = skipSignatureValidation
100103
self.signingEntityStorage = signingEntityStorage
101104
self.signingEntityCheckingMode = signingEntityCheckingMode
102105
self.jsonDecoder = JSONDecoder.makeWithDefaults()
@@ -782,6 +785,7 @@ public final class RegistryClient: Cancellable {
782785

783786
// signature validation helper
784787
let signatureValidation = SignatureValidation(
788+
skipSignatureValidation: self.skipSignatureValidation,
785789
signingEntityStorage: self.signingEntityStorage,
786790
signingEntityCheckingMode: self.signingEntityCheckingMode,
787791
versionMetadataProvider: { _, _ in versionMetadata },

Sources/PackageRegistry/SignatureValidation.swift

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,18 +29,21 @@ protocol SignatureValidationDelegate {
2929
struct SignatureValidation {
3030
typealias Delegate = SignatureValidationDelegate
3131

32+
private let skipSignatureValidation: Bool
3233
private let signingEntityTOFU: PackageSigningEntityTOFU
3334
private let versionMetadataProvider: (PackageIdentity.RegistryIdentity, Version) throws -> RegistryClient
3435
.PackageVersionMetadata
3536
private let delegate: Delegate
3637

3738
init(
39+
skipSignatureValidation: Bool,
3840
signingEntityStorage: PackageSigningEntityStorage?,
3941
signingEntityCheckingMode: SigningEntityCheckingMode,
4042
versionMetadataProvider: @escaping (PackageIdentity.RegistryIdentity, Version) throws -> RegistryClient
4143
.PackageVersionMetadata,
4244
delegate: Delegate
4345
) {
46+
self.skipSignatureValidation = skipSignatureValidation
4447
self.signingEntityTOFU = PackageSigningEntityTOFU(
4548
signingEntityStorage: signingEntityStorage,
4649
signingEntityCheckingMode: signingEntityCheckingMode
@@ -61,6 +64,10 @@ struct SignatureValidation {
6164
callbackQueue: DispatchQueue,
6265
completion: @escaping (Result<SigningEntity?, Error>) -> Void
6366
) {
67+
guard !self.skipSignatureValidation else {
68+
return completion(.success(.none))
69+
}
70+
6471
self.getAndValidateSignature(
6572
registry: registry,
6673
package: package,
@@ -117,6 +124,7 @@ struct SignatureValidation {
117124
version: version
118125
)
119126
}
127+
120128
guard let signatureData = Data(base64Encoded: signatureBase64Encoded) else {
121129
throw RegistryError.failedLoadingSignature
122130
}

Sources/PackageRegistryTool/PackageRegistryTool+Auth.swift

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,7 @@ extension SwiftPackageRegistryTool {
186186
configuration: registryConfiguration,
187187
fingerprintStorage: .none,
188188
fingerprintCheckingMode: .strict,
189+
skipSignatureValidation: false,
189190
signingEntityStorage: .none,
190191
signingEntityCheckingMode: .strict,
191192
authorizationProvider: authorizationProvider,

Sources/PackageRegistryTool/PackageRegistryTool+Publish.swift

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,7 @@ extension SwiftPackageRegistryTool {
126126
configuration: configuration,
127127
fingerprintStorage: .none,
128128
fingerprintCheckingMode: .strict,
129+
skipSignatureValidation: false,
129130
signingEntityStorage: .none,
130131
signingEntityCheckingMode: .strict,
131132
authorizationProvider: authorizationProvider,

Sources/SPMTestSupport/MockRegistry.swift

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ public class MockRegistry {
6262
configuration: configuration,
6363
fingerprintStorage: fingerprintStorage,
6464
fingerprintCheckingMode: .strict,
65+
skipSignatureValidation: false,
6566
signingEntityStorage: signingEntityStorage,
6667
signingEntityCheckingMode: .strict,
6768
authorizationProvider: .none,

Sources/SPMTestSupport/MockWorkspace.swift

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,7 @@ public final class MockWorkspace {
285285
sharedDependenciesCacheEnabled: WorkspaceConfiguration.default.sharedDependenciesCacheEnabled,
286286
fingerprintCheckingMode: .strict,
287287
signingEntityCheckingMode: .strict,
288+
skipSignatureValidation: false,
288289
sourceControlToRegistryDependencyTransformation: self.sourceControlToRegistryDependencyTransformation,
289290
defaultRegistry: self.defaultRegistry,
290291
restrictImports: .none

Sources/Workspace/Workspace+Configuration.swift

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -734,6 +734,9 @@ public struct WorkspaceConfiguration {
734734

735735
/// Signing entity checking mode. Defaults to warn.
736736
public var signingEntityCheckingMode: CheckingMode
737+
738+
/// Whether to skip validating signature of signed packages downloaded from registry
739+
public var skipSignatureValidation: Bool
737740

738741
/// Attempt to transform source control based dependencies to registry ones
739742
public var sourceControlToRegistryDependencyTransformation: SourceControlToRegistryDependencyTransformation
@@ -759,6 +762,7 @@ public struct WorkspaceConfiguration {
759762
sharedDependenciesCacheEnabled: Bool,
760763
fingerprintCheckingMode: CheckingMode,
761764
signingEntityCheckingMode: CheckingMode,
765+
skipSignatureValidation: Bool,
762766
sourceControlToRegistryDependencyTransformation: SourceControlToRegistryDependencyTransformation,
763767
defaultRegistry: Registry?,
764768
restrictImports: (startingToolsVersion: ToolsVersion, allowedImports: [String])?
@@ -771,6 +775,7 @@ public struct WorkspaceConfiguration {
771775
self.sharedDependenciesCacheEnabled = sharedDependenciesCacheEnabled
772776
self.fingerprintCheckingMode = fingerprintCheckingMode
773777
self.signingEntityCheckingMode = signingEntityCheckingMode
778+
self.skipSignatureValidation = skipSignatureValidation
774779
self.sourceControlToRegistryDependencyTransformation = sourceControlToRegistryDependencyTransformation
775780
self.defaultRegistry = defaultRegistry
776781
self.restrictImports = restrictImports
@@ -787,6 +792,7 @@ public struct WorkspaceConfiguration {
787792
sharedDependenciesCacheEnabled: true,
788793
fingerprintCheckingMode: .strict,
789794
signingEntityCheckingMode: .warn,
795+
skipSignatureValidation: false,
790796
sourceControlToRegistryDependencyTransformation: .disabled,
791797
defaultRegistry: .none,
792798
restrictImports: .none

Sources/Workspace/Workspace.swift

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -408,6 +408,7 @@ public class Workspace {
408408
customRegistriesConfiguration: .none,
409409
customFingerprints: .none,
410410
customSigningEntities: .none,
411+
skipSignatureValidation: false,
411412
customMirrors: .none,
412413
customToolsVersion: .none,
413414
customHostToolchain: customHostToolchain,
@@ -545,6 +546,7 @@ public class Workspace {
545546
customRegistriesConfiguration: RegistryConfiguration? = .none,
546547
customFingerprints: PackageFingerprintStorage? = .none,
547548
customSigningEntities: PackageSigningEntityStorage? = .none,
549+
skipSignatureValidation: Bool = false,
548550
customMirrors: DependencyMirrors? = .none,
549551
customToolsVersion: ToolsVersion? = .none,
550552
customHostToolchain: UserToolchain? = .none,
@@ -570,6 +572,7 @@ public class Workspace {
570572
customRegistriesConfiguration: customRegistriesConfiguration,
571573
customFingerprints: customFingerprints,
572574
customSigningEntities: customSigningEntities,
575+
skipSignatureValidation: skipSignatureValidation,
573576
customMirrors: customMirrors,
574577
customToolsVersion: customToolsVersion,
575578
customHostToolchain: customHostToolchain,
@@ -598,6 +601,7 @@ public class Workspace {
598601
customRegistriesConfiguration: RegistryConfiguration?,
599602
customFingerprints: PackageFingerprintStorage?,
600603
customSigningEntities: PackageSigningEntityStorage?,
604+
skipSignatureValidation: Bool,
601605
customMirrors: DependencyMirrors?,
602606
customToolsVersion: ToolsVersion?,
603607
customHostToolchain: UserToolchain?,
@@ -677,6 +681,7 @@ public class Workspace {
677681
configuration: registriesConfiguration,
678682
fingerprintStorage: fingerprints,
679683
fingerprintCheckingMode: FingerprintCheckingMode.map(configuration.fingerprintCheckingMode),
684+
skipSignatureValidation: skipSignatureValidation,
680685
signingEntityStorage: signingEntities,
681686
signingEntityCheckingMode: SigningEntityCheckingMode.map(configuration.signingEntityCheckingMode),
682687
authorizationProvider: registryAuthorizationProvider,

Tests/PackageRegistryTests/RegistryClientTests.swift

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -890,6 +890,7 @@ final class RegistryClientTests: XCTestCase {
890890
configuration: configuration,
891891
fingerprintStorage: .none,
892892
fingerprintCheckingMode: .strict,
893+
skipSignatureValidation: false,
893894
signingEntityStorage: .none,
894895
signingEntityCheckingMode: .strict,
895896
customHTTPClient: httpClient,
@@ -1022,6 +1023,7 @@ final class RegistryClientTests: XCTestCase {
10221023
configuration: configuration,
10231024
fingerprintStorage: fingerprintStorage,
10241025
fingerprintCheckingMode: .strict,
1026+
skipSignatureValidation: false,
10251027
signingEntityStorage: .none,
10261028
signingEntityCheckingMode: .strict,
10271029
customHTTPClient: httpClient,
@@ -1147,6 +1149,7 @@ final class RegistryClientTests: XCTestCase {
11471149
configuration: configuration,
11481150
fingerprintStorage: fingerprintStorage,
11491151
fingerprintCheckingMode: .strict, // intended for this test; don't change
1152+
skipSignatureValidation: false,
11501153
signingEntityStorage: .none,
11511154
signingEntityCheckingMode: .strict,
11521155
customHTTPClient: httpClient,
@@ -1278,6 +1281,7 @@ final class RegistryClientTests: XCTestCase {
12781281
configuration: configuration,
12791282
fingerprintStorage: fingerprintStorage,
12801283
fingerprintCheckingMode: .warn, // intended for this test; don't change
1284+
skipSignatureValidation: false,
12811285
signingEntityStorage: .none,
12821286
signingEntityCheckingMode: .strict,
12831287
customHTTPClient: httpClient,
@@ -1399,6 +1403,7 @@ final class RegistryClientTests: XCTestCase {
13991403
configuration: configuration,
14001404
fingerprintStorage: fingerprintStorage,
14011405
fingerprintCheckingMode: .strict,
1406+
skipSignatureValidation: false,
14021407
signingEntityStorage: .none,
14031408
signingEntityCheckingMode: .strict,
14041409
customHTTPClient: httpClient,
@@ -1526,6 +1531,7 @@ final class RegistryClientTests: XCTestCase {
15261531
configuration: configuration,
15271532
fingerprintStorage: fingerprintStorage,
15281533
fingerprintCheckingMode: .strict,
1534+
skipSignatureValidation: false,
15291535
signingEntityStorage: .none,
15301536
signingEntityCheckingMode: .strict,
15311537
customHTTPClient: httpClient,
@@ -1610,6 +1616,7 @@ final class RegistryClientTests: XCTestCase {
16101616
configuration: configuration,
16111617
fingerprintStorage: .none,
16121618
fingerprintCheckingMode: .strict,
1619+
skipSignatureValidation: false,
16131620
signingEntityStorage: .none,
16141621
signingEntityCheckingMode: .strict,
16151622
customHTTPClient: httpClient,
@@ -1690,6 +1697,7 @@ final class RegistryClientTests: XCTestCase {
16901697
configuration: configuration,
16911698
fingerprintStorage: .none,
16921699
fingerprintCheckingMode: .strict,
1700+
skipSignatureValidation: false,
16931701
signingEntityStorage: .none,
16941702
signingEntityCheckingMode: .strict,
16951703
customHTTPClient: httpClient
@@ -1739,6 +1747,7 @@ final class RegistryClientTests: XCTestCase {
17391747
configuration: configuration,
17401748
fingerprintStorage: .none,
17411749
fingerprintCheckingMode: .strict,
1750+
skipSignatureValidation: false,
17421751
signingEntityStorage: .none,
17431752
signingEntityCheckingMode: .strict,
17441753
customHTTPClient: httpClient,
@@ -2762,13 +2771,15 @@ func makeRegistryClient(
27622771
authorizationProvider: AuthorizationProvider? = .none,
27632772
fingerprintStorage: PackageFingerprintStorage = MockPackageFingerprintStorage(),
27642773
fingerprintCheckingMode: FingerprintCheckingMode = .strict,
2774+
skipSignatureValidation: Bool = false,
27652775
signingEntityStorage: PackageSigningEntityStorage = MockPackageSigningEntityStorage(),
27662776
signingEntityCheckingMode: SigningEntityCheckingMode = .strict
27672777
) -> RegistryClient {
27682778
RegistryClient(
27692779
configuration: configuration,
27702780
fingerprintStorage: fingerprintStorage,
27712781
fingerprintCheckingMode: fingerprintCheckingMode,
2782+
skipSignatureValidation: skipSignatureValidation,
27722783
signingEntityStorage: signingEntityStorage,
27732784
signingEntityCheckingMode: signingEntityCheckingMode,
27742785
authorizationProvider: authorizationProvider,

0 commit comments

Comments
 (0)