Expected signing entity verification

Sources/PackageModel/RegistryReleaseMetadata.swift

@@ -105,7 +105,7 @@ public struct RegistryReleaseMetadata {
         }
     }
 
-    public enum SigningEntity: Codable {
+    public enum SigningEntity: Codable, Equatable {
         case recognized(type: String, commonName: String?, organization: String?, identity: String?)
         case unrecognized(commonName: String?, organization: String?)
     }

Sources/SPMTestSupport/MockPackage.swift

@@ -76,6 +76,7 @@ public struct MockPackage {
         platforms: [PlatformDescription] = [],
         identity: String,
         alternativeURLs: [String]? = .none,
+        metadata: RegistryReleaseMetadata? = .none,
         targets: [MockTarget],
         products: [MockProduct],
         dependencies: [MockDependency] = [],
@@ -85,7 +86,11 @@ public struct MockPackage {
     ) {
         self.name = name
         self.platforms = platforms
-        self.location = .registry(identity: .plain(identity), alternativeURLs: alternativeURLs?.compactMap{ URL(string: $0) })
+        self.location = .registry(
+            identity: .plain(identity),
+            alternativeURLs: alternativeURLs?.compactMap{ URL(string: $0) },
+            metadata: metadata
+        )
         self.targets = targets
         self.products = products
         self.dependencies = dependencies
@@ -110,6 +115,6 @@ public struct MockPackage {
     public enum Location {
         case fileSystem(path: RelativePath)
         case sourceControl(url: URL)
-        case registry(identity: PackageIdentity, alternativeURLs: [URL]?)
+        case registry(identity: PackageIdentity, alternativeURLs: [URL]?, metadata: RegistryReleaseMetadata?)
     }
 }

Sources/SPMTestSupport/MockWorkspace.swift

@@ -152,8 +152,15 @@ public final class MockWorkspace {
                 } else {
                     packagePath = basePath.appending(components: "sourceControl", url.absoluteString.spm_mangledToC99ExtendedIdentifier())
                 }
-            case .registry(let identity, _):
+            case .registry(let identity, _, let metadata):
                 packagePath = basePath.appending(components: "registry", identity.description.spm_mangledToC99ExtendedIdentifier())
+
+                // Write registry release metadata if the mock package provided it.
+                if let metadata = metadata {
+                    try self.fileSystem.createDirectory(packagePath, recursive: true)
+                    let path = packagePath.appending(component: RegistryReleaseMetadataStorage.fileName)
+                    try RegistryReleaseMetadataStorage.save(metadata, to: path, fileSystem: self.fileSystem)
+                }
             }
 
             let packageLocation: String
@@ -177,7 +184,7 @@ public final class MockWorkspace {
                 packageLocation = url.absoluteString
                 packageKind = .remoteSourceControl(url)
                 sourceControlSpecifier = RepositorySpecifier(url: url)
-            case (_, .registry(let identity, let alternativeURLs)):
+            case (_, .registry(let identity, let alternativeURLs, _)):
                 packageLocation = identity.description
                 packageKind = .registry(identity)
                 registryIdentity = identity
@@ -437,6 +444,7 @@ public final class MockWorkspace {
         roots: [String] = [],
         dependencies: [PackageDependency] = [],
         forceResolvedVersions: Bool = false,
+        expectedSigningEntities: [PackageIdentity: RegistryReleaseMetadata.SigningEntity] = [:],
         _ result: (PackageGraph, [Basics.Diagnostic]) throws -> Void
     ) throws {
         let observability = ObservabilitySystem.makeForTesting()
@@ -448,6 +456,7 @@ public final class MockWorkspace {
             let graph = try workspace.loadPackageGraph(
                 rootInput: rootInput,
                 forceResolvedVersions: forceResolvedVersions,
+                expectedSigningEntities: expectedSigningEntities,
                 observabilityScope: observability.topScope
             )
             try result(graph, observability.diagnostics)

Sources/Workspace/Workspace.swift

@@ -1074,6 +1074,7 @@ extension Workspace {
         forceResolvedVersions: Bool = false,
         customXCTestMinimumDeploymentTargets: [PackageModel.Platform: PlatformVersion]? = .none,
         testEntryPointPath: AbsolutePath? = nil,
+        expectedSigningEntities: [PackageIdentity: RegistryReleaseMetadata.SigningEntity] = [:],
         observabilityScope: ObservabilityScope
     ) throws -> PackageGraph {
         // reload state in case it was modified externally (eg by another process) before reloading the graph
@@ -1104,7 +1105,7 @@ extension Workspace {
         }
 
         // Load the graph.
-        return try PackageGraph.load(
+        let packageGraph = try PackageGraph.load(
             root: manifests.root,
             identityResolver: self.identityResolver,
             additionalFileRules: self.configuration.additionalFileRules,
@@ -1119,6 +1120,57 @@ extension Workspace {
             fileSystem: fileSystem,
             observabilityScope: observabilityScope
         )
+
+        try expectedSigningEntities.forEach { identity, expectedSigningEntity in
+            if let package = packageGraph.packages.first(where: { $0.identity == identity }) {
+                if let actualSigningEntity = package.registryMetadata?.signature?.signedBy {
+                    if actualSigningEntity != expectedSigningEntity {
+                        throw SigningError.mismatchedSigningEntity(
+                            package: identity,
+                            expected: expectedSigningEntity,
+                            actual: actualSigningEntity
+                        )
+                    }
+                } else {
+                    throw SigningError.unsigned(package: identity, expected: expectedSigningEntity)
+                }
+            } else {
+                if let mirror = self.mirrors.mirror(for: identity.description) {
+                    let mirroredIdentity = PackageIdentity.plain(mirror)
+                    if mirroredIdentity.isRegistry {
+                        if let package = packageGraph.packages.first(where: { $0.identity == mirroredIdentity }) {
+                            if let actualSigningEntity = package.registryMetadata?.signature?.signedBy {
+                                if actualSigningEntity != expectedSigningEntity {
+                                    throw SigningError.mismatchedSigningEntity(
+                                        package: identity,
+                                        expected: expectedSigningEntity,
+                                        actual: actualSigningEntity
+                                    )
+                                }
+                            } else {
+                                throw SigningError.unsigned(package: identity, expected: expectedSigningEntity)
+                            }
+                        } else {
+                            // Unsure if this case is reachable in practice.
+                            throw SigningError.expectedIdentityNotFound(package: identity)
+                        }
+                    } else {
+                        throw SigningError.expectedSignedMirroredToSourceControl(package: identity, expected: expectedSigningEntity)
+                    }
+                } else {
+                    throw SigningError.expectedIdentityNotFound(package: identity)
+                }
+            }
+        }
+
+        return packageGraph
+    }
+
+    public enum SigningError: Swift.Error {
+        case expectedIdentityNotFound(package: PackageIdentity)
+        case expectedSignedMirroredToSourceControl(package: PackageIdentity, expected: RegistryReleaseMetadata.SigningEntity)
+        case mismatchedSigningEntity(package: PackageIdentity, expected: RegistryReleaseMetadata.SigningEntity, actual: RegistryReleaseMetadata.SigningEntity)
+        case unsigned(package: PackageIdentity, expected: RegistryReleaseMetadata.SigningEntity)
     }
 
     @discardableResult