Include signing entity in version metadata (#6363)

Clients who are asking for metadata prior to download an archive from the registry may still want to display information from the signature which is non-trivial to extract. This includes it if possible.

Author: neonichu

Sources/PackageMetadata/PackageMetadata.swift

@@ -48,6 +48,7 @@ public struct Package {
 }
 
 public struct PackageSearchClient {
+    private let fileSystem: FileSystem
     private let registryClient: RegistryClient
     private let indexAndCollections: PackageIndexAndCollections
     private let observabilityScope: ObservabilityScope
@@ -59,6 +60,7 @@ public struct PackageSearchClient {
     ) {
         self.registryClient = registryClient
         self.indexAndCollections = PackageIndexAndCollections(fileSystem: fileSystem, observabilityScope: observabilityScope)
+        self.fileSystem = fileSystem
         self.observabilityScope = observabilityScope
     }
 
@@ -87,6 +89,7 @@ public struct PackageSearchClient {
         self.registryClient.getPackageVersionMetadata(
             package: package,
             version: version,
+            fileSystem: self.fileSystem,
             observabilityScope: observabilityScope,
             callbackQueue: DispatchQueue.sharedConcurrent
         ) { result in

Sources/PackageRegistry/RegistryClient.swift

@@ -266,6 +266,7 @@ public final class RegistryClient: Cancellable {
         package: PackageIdentity,
         version: Version,
         timeout: DispatchTimeInterval? = .none,
+        fileSystem: FileSystem,
         observabilityScope: ObservabilityScope,
         callbackQueue: DispatchQueue,
         completion: @escaping (Result<PackageVersionMetadata, Error>) -> Void
@@ -286,6 +287,7 @@ public final class RegistryClient: Cancellable {
                 package: registryIdentity,
                 version: version,
                 timeout: timeout,
+                fileSystem: fileSystem,
                 observabilityScope: observabilityScope,
                 callbackQueue: callbackQueue,
                 completion: completion
@@ -314,6 +316,7 @@ public final class RegistryClient: Cancellable {
         package: PackageIdentity.RegistryIdentity,
         version: Version,
         timeout: DispatchTimeInterval?,
+        fileSystem: FileSystem,
         observabilityScope: ObservabilityScope,
         callbackQueue: DispatchQueue,
         completion: @escaping (Result<PackageVersionMetadata, Error>) -> Void
@@ -343,6 +346,22 @@ public final class RegistryClient: Cancellable {
                                         signatureBase64Encoded: $0.signatureBase64Encoded,
                                         signatureFormat: $0.signatureFormat
                                     )
+                                },
+                                signingEntity: $0.signing.flatMap {
+                                    guard let signatureData = Data(base64Encoded: $0.signatureBase64Encoded) else {
+                                        return nil
+                                    }
+                                    guard let signatureFormat = SignatureFormat(rawValue: $0.signatureFormat) else {
+                                        return nil
+                                    }
+                                    let configuration = self.configuration.signing(for: package, registry: registry)
+                                    return try? tsc_await { SignatureValidation.extractSigningEntity(
+                                        signature: [UInt8](signatureData),
+                                        signatureFormat: signatureFormat,
+                                        configuration: configuration,
+                                        fileSystem: fileSystem,
+                                        completion: $0
+                                    ) }
                                 }
                             )
                         },
@@ -501,6 +520,7 @@ public final class RegistryClient: Cancellable {
             package: package,
             version: version,
             timeout: timeout,
+            fileSystem: localFileSystem,
             observabilityScope: observabilityScope,
             callbackQueue: callbackQueue
         ) { result in
@@ -733,6 +753,7 @@ public final class RegistryClient: Cancellable {
             package: package,
             version: version,
             timeout: timeout,
+            fileSystem: localFileSystem,
             observabilityScope: observabilityScope,
             callbackQueue: callbackQueue
         ) { result in
@@ -950,6 +971,7 @@ public final class RegistryClient: Cancellable {
             package: package,
             version: version,
             timeout: timeout,
+            fileSystem: fileSystem,
             observabilityScope: observabilityScope,
             callbackQueue: callbackQueue
         ) { result in
@@ -1839,12 +1861,14 @@ extension RegistryClient {
             public let type: String
             public let checksum: String?
             public let signing: Signing?
+            public let signingEntity: SigningEntity?
 
-            public init(name: String, type: String, checksum: String?, signing: Signing?) {
+            public init(name: String, type: String, checksum: String?, signing: Signing?, signingEntity: SigningEntity?) {
                 self.name = name
                 self.type = type
                 self.checksum = checksum
                 self.signing = signing
+                self.signingEntity = signingEntity
             }
         }
 

Sources/PackageRegistry/SignatureValidation.swift

@@ -513,6 +513,30 @@ struct SignatureValidation {
             }
         }
     }
+
+    // MARK: - signing entity
+
+    static func extractSigningEntity(
+        signature: [UInt8],
+        signatureFormat: SignatureFormat,
+        configuration: RegistryConfiguration.Security.Signing,
+        fileSystem: FileSystem,
+        completion: @Sendable @escaping (Result<SigningEntity?, Error>) -> Void
+    ) {
+        Task {
+            do {
+                let verifierConfiguration = try VerifierConfiguration.from(configuration, fileSystem: fileSystem)
+                let signingEntity = try await SignatureProvider.extractSigningEntity(
+                    signature: signature,
+                    format: signatureFormat,
+                    verifierConfiguration: verifierConfiguration
+                )
+                return completion(.success(signingEntity))
+            } catch {
+                return completion(.failure(error))
+            }
+        }
+    }
 }
 
 extension VerifierConfiguration {

Sources/PackageSigning/SignatureProvider.swift

@@ -55,6 +55,18 @@ public enum SignatureProvider {
             observabilityScope: observabilityScope
         )
     }
+
+    public static func extractSigningEntity(
+        signature: [UInt8],
+        format: SignatureFormat,
+        verifierConfiguration: VerifierConfiguration
+    ) async throws -> SigningEntity {
+        let provider = format.provider
+        return try await provider.extractSigningEntity(
+            signature: signature,
+            verifierConfiguration: verifierConfiguration
+        )
+    }
 }
 
 public struct VerifierConfiguration {
@@ -162,6 +174,11 @@ protocol SignatureProviderProtocol {
         verifierConfiguration: VerifierConfiguration,
         observabilityScope: ObservabilityScope
     ) async throws -> SignatureStatus
+
+    func extractSigningEntity(
+        signature: [UInt8],
+        verifierConfiguration: VerifierConfiguration
+    ) async throws -> SigningEntity
 }
 
 // MARK: - CMS signature provider
@@ -232,6 +249,13 @@ struct CMSSignatureProvider: SignatureProviderProtocol {
         }
     }
 
+    func extractSigningEntity(
+        signature: [UInt8],
+        verifierConfiguration: VerifierConfiguration
+    ) async throws -> SigningEntity {
+        throw StringError("not implemented")
+    }
+
     func status(
         signature: [UInt8],
         content: [UInt8],

Sources/PackageSigning/SigningEntity/SigningEntity.swift

@@ -15,7 +15,7 @@
 
 // MARK: - SigningEntity is the entity that generated the signature
 
-public enum SigningEntity: Hashable, Codable, CustomStringConvertible {
+public enum SigningEntity: Hashable, Codable, CustomStringConvertible, Sendable {
     case recognized(type: SigningEntityType, name: String, organizationalUnit: String, organization: String)
     case unrecognized(name: String?, organizationalUnit: String?, organization: String?)
 

Tests/PackageRegistryTests/RegistryClientTests.swift

@@ -3837,6 +3837,7 @@ extension RegistryClient {
             self.getPackageVersionMetadata(
                 package: package,
                 version: version,
+                fileSystem: InMemoryFileSystem(),
                 observabilityScope: ObservabilitySystem.NOOP,
                 callbackQueue: .sharedConcurrent,
                 completion: $0