This is a continuation of #3879. (#3890)

Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.

Author: yim-lee

Package.swift

@@ -155,6 +155,7 @@ let package = Package(
             name: "PackageRegistry",
             dependencies: [
                 "Basics",
+                "PackageFingerprint",
                 "PackageLoading",
                 "PackageModel"
             ],
@@ -309,6 +310,7 @@ let package = Package(
             name: "Workspace",
             dependencies: [
                 "Basics",
+                "PackageFingerprint",
                 "PackageGraph",
                 "PackageModel",
                 "SourceControl",
@@ -328,6 +330,7 @@ let package = Package(
                 "Basics",
                 "Build",
                 "PackageCollections",
+                "PackageFingerprint",
                 "PackageGraph",
                 "SourceControl",
                 "Workspace",
@@ -388,6 +391,7 @@ let package = Package(
             name: "SPMTestSupport",
             dependencies: [
                 "Basics",
+                "PackageFingerprint",
                 "PackageGraph",
                 "PackageLoading",
                 "PackageRegistry",

Sources/Basics/FileSystem+Extensions.swift

@@ -1,7 +1,7 @@
 /*
  This source file is part of the Swift.org open source project
 
- Copyright (c) 2020 Apple Inc. and the Swift project authors
+ Copyright (c) 2020-2021 Apple Inc. and the Swift project authors
  Licensed under Apache License v2.0 with Runtime Library Exception
 
  See http://swift.org/LICENSE.txt for license information
@@ -18,7 +18,12 @@ import TSCBasic
 extension FileSystem {
     /// SwiftPM directory under user's home directory (~/.swiftpm)
     public var dotSwiftPM: AbsolutePath {
-        return self.homeDirectory.appending(component: ".swiftpm")
+        self.homeDirectory.appending(component: ".swiftpm")
+    }
+    
+    /// SwiftPM security directory
+    public var swiftPMSecurityDirectory: AbsolutePath {
+        self.dotSwiftPM.appending(component: "security")
     }
 }
 

Sources/Commands/CMakeLists.txt

@@ -34,6 +34,7 @@ target_link_libraries(Commands PUBLIC
   Basics
   Build
   PackageCollections
+  PackageFingerprint
   PackageGraph
   SourceControl
   TSCBasic

Sources/Commands/Options.swift

@@ -1,7 +1,7 @@
 /*
  This source file is part of the Swift.org open source project
 
- Copyright (c) 2014 - 2017 Apple Inc. and the Swift project authors
+ Copyright (c) 2014 - 2021 Apple Inc. and the Swift project authors
  Licensed under Apache License v2.0 with Runtime Library Exception
 
  See http://swift.org/LICENSE.txt for license information
@@ -11,6 +11,7 @@
 import ArgumentParser
 import TSCBasic
 import TSCUtility
+import PackageFingerprint
 import PackageModel
 import SPMBuildCore
 import Build
@@ -90,6 +91,12 @@ enum BuildSystemKind: String, ExpressibleByArgument, CaseIterable {
     case xcode
 }
 
+extension FingerprintCheckingMode: ExpressibleByArgument {
+    public init?(argument: String) {
+        self.init(rawValue: argument)
+    }
+}
+
 public extension Sanitizer {
     init(argument: String) throws {
         if let sanitizer = Sanitizer(rawValue: argument) {
@@ -348,6 +355,9 @@ public struct SwiftToolOptions: ParsableArguments {
           help: .hidden)
     var keychain: Bool = false
 #endif
+    
+    @Option(name: .customLong("resolver-fingerprint-checking"))
+    var resolverFingerprintCheckingMode: FingerprintCheckingMode = .warn
 
     @Flag(name: .customLong("netrc"), help: .hidden)
     var _deprecated_netrc: Bool = false

Sources/Commands/SwiftTool.swift

@@ -658,6 +658,7 @@ public class SwiftTool {
                 workingDirectory: buildPath,
                 editsDirectory: self.editsDirectory(),
                 resolvedVersionsFile: self.resolvedVersionsFile(),
+                sharedSecurityDirectory: localFileSystem.swiftPMSecurityDirectory,
                 sharedCacheDirectory: sharedCacheDirectory,
                 sharedConfigurationDirectory: sharedConfigurationDirectory
             ),
@@ -669,6 +670,7 @@ public class SwiftTool {
             additionalFileRules: isXcodeBuildSystemEnabled ? FileRuleDescription.xcbuildFileTypes : FileRuleDescription.swiftpmFileTypes,
             resolverUpdateEnabled: !options.skipDependencyUpdate,
             resolverPrefetchingEnabled: options.shouldEnableResolverPrefetching,
+            resolverFingerprintCheckingMode: self.options.resolverFingerprintCheckingMode,
             sharedRepositoriesCacheEnabled: self.options.useRepositoriesCache,
             delegate: delegate
         )

Sources/PackageFingerprint/FilePackageFingerprintStorage.swift

@@ -22,7 +22,7 @@ public struct FilePackageFingerprintStorage: PackageFingerprintStorage {
     private let encoder: JSONEncoder
     private let decoder: JSONDecoder
 
-    init(fileSystem: FileSystem, directoryPath: AbsolutePath) {
+    public init(fileSystem: FileSystem, directoryPath: AbsolutePath) {
         self.fileSystem = fileSystem
         self.directoryPath = directoryPath
 

Sources/PackageFingerprint/Model.swift

@@ -14,6 +14,11 @@ import TSCUtility
 public struct Fingerprint: Equatable {
     public let origin: Origin
     public let value: String
+
+    public init(origin: Origin, value: String) {
+        self.origin = origin
+        self.value = value
+    }
 }
 
 public extension Fingerprint {
@@ -26,7 +31,7 @@ public extension Fingerprint {
         case sourceControl(Foundation.URL)
         case registry(Foundation.URL)
 
-        var kind: Fingerprint.Kind {
+        public var kind: Fingerprint.Kind {
             switch self {
             case .sourceControl:
                 return .sourceControl
@@ -35,7 +40,7 @@ public extension Fingerprint {
             }
         }
 
-        var url: Foundation.URL? {
+        public var url: Foundation.URL? {
             switch self {
             case .sourceControl(let url):
                 return url
@@ -56,3 +61,9 @@ public extension Fingerprint {
 }
 
 public typealias PackageFingerprints = [Version: [Fingerprint.Kind: Fingerprint]]
+
+public enum FingerprintCheckingMode: String {
+    case strict
+    case warn
+    case none
+}

Sources/PackageFingerprint/PackageFingerprintStorage.swift

@@ -28,6 +28,24 @@ public protocol PackageFingerprintStorage {
              callback: @escaping (Result<Void, Error>) -> Void)
 }
 
+public extension PackageFingerprintStorage {
+    func get(package: PackageIdentity,
+             version: Version,
+             kind: Fingerprint.Kind,
+             observabilityScope: ObservabilityScope,
+             callbackQueue: DispatchQueue,
+             callback: @escaping (Result<Fingerprint, Error>) -> Void) {
+        self.get(package: package, version: version, observabilityScope: observabilityScope, callbackQueue: callbackQueue) { result in
+            callback(result.tryMap { fingerprints in
+                guard let fingerprint = fingerprints[kind] else {
+                    throw PackageFingerprintStorageError.notFound
+                }
+                return fingerprint
+            })
+        }
+    }
+}
+
 public enum PackageFingerprintStorageError: Error, Equatable {
     case conflict(given: Fingerprint, existing: Fingerprint)
     case notFound

Sources/PackageRegistry/CMakeLists.txt

@@ -12,6 +12,7 @@ add_library(PackageRegistry
   RegistryClient.swift)
 target_link_libraries(PackageRegistry PUBLIC
   Basics
+  PackageFingerprint
   PackageLoading
   PackageModel
   TSCBasic