Add 'package sign' subcommand (swiftlang#6215)

* Add 'package sign' subcommand

Motivation:
Part of https://github.com/apple/swift-evolution/blob/main/proposals/0391-package-registry-publish.md

Modifications:
- Add 'package sign' command
- Refactor code to share between 'package sign' and 'package-registry publish'

* wip

* more

* fixups

---------

Co-authored-by: tom doron <[email protected]>

Author: yim-lee

Sources/Commands/PackageTools/SwiftPackageTool.swift

@@ -2,7 +2,7 @@
 //
 // This source file is part of the Swift open source project
 //
-// Copyright (c) 2014-2022 Apple Inc. and the Swift project authors
+// Copyright (c) 2014-2023 Apple Inc. and the Swift project authors
 // Licensed under Apache License v2.0 with Runtime Library Exception
 //
 // See http://swift.org/LICENSE.txt for license information
@@ -13,16 +13,15 @@
 import ArgumentParser
 import Basics
 import CoreCommands
-import TSCBasic
-import SPMBuildCore
-import PackageModel
-import PackageLoading
+import Foundation
 import PackageGraph
+import PackageLoading
+import PackageModel
 import SourceControl
-import XCBuildSupport
+import SPMBuildCore
+import TSCBasic
 import Workspace
-import Foundation
-import PackageModel
+import XCBuildSupport
 
 import enum TSCUtility.Diagnostics
 
@@ -62,12 +61,13 @@ public struct SwiftPackageTool: ParsableCommand {
             ArchiveSource.self,
             CompletionTool.self,
             PluginCommand.self,
-            
+
             DefaultCommand.self,
         ]
-        + (ProcessInfo.processInfo.environment["SWIFTPM_ENABLE_SNIPPETS"] == "1" ? [Learn.self] : []),
+            + (ProcessInfo.processInfo.environment["SWIFTPM_ENABLE_SNIPPETS"] == "1" ? [Learn.self] : []),
         defaultSubcommand: DefaultCommand.self,
-        helpNames: [.short, .long, .customLong("help", withSingleDash: true)])
+        helpNames: [.short, .long, .customLong("help", withSingleDash: true)]
+    )
 
     @OptionGroup()
     var globalOptions: GlobalOptions
@@ -78,11 +78,13 @@ public struct SwiftPackageTool: ParsableCommand {
 }
 
 extension SwiftPackageTool {
-    // This command is the default when no other subcommand is passed. It is not shown in the help and is never invoked directly.
+    // This command is the default when no other subcommand is passed. It is not shown in the help and is never invoked
+    // directly.
     struct DefaultCommand: SwiftCommand {
         static let configuration = CommandConfiguration(
             commandName: nil,
-            shouldDisplay: false)
+            shouldDisplay: false
+        )
 
         @OptionGroup(visibility: .hidden)
         var globalOptions: GlobalOptions
@@ -103,8 +105,7 @@ extension SwiftPackageTool {
             // Check for edge cases and unknown options to match the behavior in the absence of plugins.
             if command.isEmpty {
                 throw ValidationError("Unknown argument '\(command)'")
-            }
-            else if command.starts(with: "-") {
+            } else if command.starts(with: "-") {
                 throw ValidationError("Unknown option '\(command)'")
             }
 
@@ -122,10 +123,14 @@ extension SwiftPackageTool {
 extension PluginCommand.PluginOptions {
     func merged(with other: Self) -> Self {
         // validate against developer mistake
-        assert(Mirror(reflecting: self).children.count == 3, "Property added to PluginOptions without updating merged(with:)!")
+        assert(
+            Mirror(reflecting: self).children.count == 3,
+            "Property added to PluginOptions without updating merged(with:)!"
+        )
         // actual merge
         var merged = self
-        merged.allowWritingToPackageDirectory = merged.allowWritingToPackageDirectory || other.allowWritingToPackageDirectory
+        merged.allowWritingToPackageDirectory = merged.allowWritingToPackageDirectory || other
+            .allowWritingToPackageDirectory
         merged.additionalAllowedWritableDirectories.append(contentsOf: other.additionalAllowedWritableDirectories)
         if other.allowNetworkConnections != .none {
             merged.allowNetworkConnections = other.allowNetworkConnections

Sources/PackageRegistryTool/PackageRegistryTool+Auth.swift

@@ -46,9 +46,13 @@ private func getpass(_ prompt: String) -> UnsafePointer<CChar> {
     defer { SetConsoleMode(hStdIn, dwMode) }
 
     var dwNumberOfCharsRead: DWORD = 0
-    _ = ReadConsoleA(hStdIn, StaticStorage.buffer.baseAddress,
-                     DWORD(StaticStorage.buffer.count), &dwNumberOfCharsRead,
-                     nil)
+    _ = ReadConsoleA(
+        hStdIn,
+        StaticStorage.buffer.baseAddress,
+        DWORD(StaticStorage.buffer.count),
+        &dwNumberOfCharsRead,
+        nil
+    )
     return UnsafePointer<CChar>(StaticStorage.buffer.baseAddress!)
 }
 #endif

Sources/PackageRegistryTool/PackageRegistryTool+Publish.swift

@@ -36,13 +36,10 @@ extension SwiftPackageRegistryTool {
         @OptionGroup(visibility: .hidden)
         var globalOptions: GlobalOptions
 
-        @Option(name: [.customLong("id"), .customLong("package-id")], help: "The package identifier.")
+        @Argument(help: .init("The package identifier.", valueName: "package-id"))
         var packageIdentity: PackageIdentity
 
-        @Option(
-            name: [.customLong("version"), .customLong("package-version")],
-            help: "The package release version being created."
-        )
+        @Argument(help: .init("The package release version being created.", valueName: "package-version"))
         var packageVersion: Version
 
         @Option(name: [.customLong("url"), .customLong("registry-url")], help: "The registry URL.")
@@ -74,7 +71,7 @@ extension SwiftPackageRegistryTool {
         @Option(help: "The path to the signing certificate (DER-encoded).")
         var certificatePath: AbsolutePath?
 
-        @Option(help: "Dry run only; prepare the archive and sign it but do not publish to the registry.")
+        @Flag(help: "Dry run only; prepare the archive and sign it but do not publish to the registry.")
         var dryRun: Bool = false
 
         func run(_ swiftTool: SwiftTool) async throws {
@@ -133,39 +130,18 @@ extension SwiftPackageRegistryTool {
             )
 
             // step 1: publishing configuration
-            let publishConfiguration = PublishConfiguration(
-                metadataLocation: self.customMetadataPath
-                    .flatMap { .external($0) } ??
-                    .sourceTree(packageDirectory.appending(component: Self.metadataFilename)),
-                signing: .init(
-                    required: self.signingIdentity != nil || self.privateKeyPath != nil,
-                    format: self.signatureFormat,
-                    signingIdentity: self.signingIdentity,
-                    privateKeyPath: self.privateKeyPath,
-                    certificatePath: self.certificatePath
-                )
-            )
+            let metadataLocation: MetadataLocation = self.customMetadataPath
+                .flatMap { .external($0) } ??
+                .sourceTree(packageDirectory.appending(component: Self.metadataFilename))
+            let signingRequired = self.signingIdentity != nil || self.privateKeyPath != nil || self
+                .certificatePath != nil
 
-            guard localFileSystem.exists(publishConfiguration.metadataLocation.path) else {
+            guard localFileSystem.exists(metadataLocation.path) else {
                 throw StringError(
-                    "Publishing to '\(registryURL)' requires metadata file but none was found at '\(publishConfiguration.metadataLocation)'."
+                    "Publishing to '\(registryURL)' requires metadata file but none was found at '\(metadataLocation)'."
                 )
             }
 
-            if publishConfiguration.signing.privateKeyPath != nil {
-                guard publishConfiguration.signing.certificatePath != nil else {
-                    throw StringError(
-                        "Both 'privateKeyPath' and 'certificatePath' are required when one of them is set."
-                    )
-                }
-            } else {
-                guard publishConfiguration.signing.certificatePath == nil else {
-                    throw StringError(
-                        "Both 'privateKeyPath' and 'certificatePath' are required when one of them is set."
-                    )
-                }
-            }
-
             // step 2: generate source archive for the package release
             swiftTool.observabilityScope.emit(info: "archiving the source at '\(packageDirectory)'")
             let archivePath = try self.archiveSource(
@@ -179,14 +155,41 @@ extension SwiftPackageRegistryTool {
 
             // step 3: sign the source archive if needed
             var signature: Data? = .none
-            if publishConfiguration.signing.required {
+            if signingRequired {
+                // compute signing mode
+                let signingMode: PackageArchiveSigner.SigningMode
+                switch (
+                    self.signingIdentity,
+                    self.certificatePath,
+                    self.privateKeyPath
+                ) {
+                case (.none, .some, .none):
+                    throw StringError(
+                        "Both 'private-key-path' and 'certificate-path' are required when one of them is set."
+                    )
+                case (.none, .none, .some):
+                    throw StringError(
+                        "Both 'private-key-path' and 'certificate-path' are required when one of them is set."
+                    )
+                case (.none, .some(let certificatePath), .some(let privateKeyPath)):
+                    signingMode = .certificate(certificate: certificatePath, privateKey: privateKeyPath)
+                case (.some(let signingStoreLabel), .none, .none):
+                    signingMode = .identityStore(signingStoreLabel)
+                default:
+                    throw StringError(
+                        "Either 'signing-identity' or 'private-key-path' (together with 'certificate-path') must be provided."
+                    )
+                }
+
                 swiftTool.observabilityScope.emit(info: "signing the archive at '\(archivePath)'")
-                signature = try await self.sign(
-                    packageIdentity: self.packageIdentity,
-                    packageVersion: self.packageVersion,
+                let signaturePath = workingDirectory
+                    .appending(component: "\(self.packageIdentity)-\(self.packageVersion).sig")
+                signature = try await PackageArchiveSigner.sign(
                     archivePath: archivePath,
-                    configuration: publishConfiguration.signing,
-                    workingDirectory: workingDirectory,
+                    signaturePath: signaturePath,
+                    mode: signingMode,
+                    signatureFormat: self.signatureFormat,
+                    fileSystem: localFileSystem,
                     observabilityScope: swiftTool.observabilityScope
                 )
             }
@@ -201,7 +204,6 @@ extension SwiftPackageRegistryTool {
 
             swiftTool.observabilityScope
                 .emit(info: "publishing '\(self.packageIdentity)' archive at '\(archivePath)' to '\(registryURL)'")
-            // TODO: handle signature
             let result = try await registryClient.publish(
                 registryURL: registryURL,
                 packageIdentity: self.packageIdentity,
@@ -260,89 +262,21 @@ extension SwiftPackageRegistryTool {
 
             return archivePath
         }
-
-        func sign(
-            packageIdentity: PackageIdentity,
-            packageVersion: Version,
-            archivePath: AbsolutePath,
-            configuration: PublishConfiguration.Signing,
-            workingDirectory: AbsolutePath,
-            observabilityScope: ObservabilityScope
-        ) async throws -> Data {
-            let archiveData = try Data(localFileSystem.readFileContents(archivePath).contents)
-
-            var signingIdentity: SigningIdentity?
-            if let signingIdentityLabel = configuration.signingIdentity {
-                let signingIdentityStore = SigningIdentityStore(observabilityScope: observabilityScope)
-                let matches = try await signingIdentityStore.find(by: signingIdentityLabel)
-                guard !matches.isEmpty else {
-                    throw StringError("'\(signingIdentityLabel)' not found in the system identity store.")
-                }
-                // TODO: let user choose if there is more than one match?
-                signingIdentity = matches.first
-            } else if let privateKeyPath = configuration.privateKeyPath,
-                      let certificatePath = configuration.certificatePath
-            {
-                let certificateData = try Data(localFileSystem.readFileContents(certificatePath).contents)
-                let privateKeyData = try Data(localFileSystem.readFileContents(privateKeyPath).contents)
-                signingIdentity = SwiftSigningIdentity(
-                    certificate: Certificate(derEncoded: certificateData),
-                    privateKey: try configuration.format.privateKey(derRepresentation: privateKeyData)
-                )
-            }
-
-            guard let signingIdentity = signingIdentity else {
-                throw StringError("Cannot sign archive without signing identity.")
-            }
-
-            let signature = try await SignatureProvider.sign(
-                archiveData,
-                with: signingIdentity,
-                in: configuration.format,
-                observabilityScope: observabilityScope
-            )
-
-            let signaturePath = workingDirectory.appending(component: "\(packageIdentity)-\(packageVersion).sig")
-            try localFileSystem.writeFileContents(signaturePath) { stream in
-                stream.write(signature)
-            }
-
-            return signature
-        }
     }
 }
 
-struct PublishConfiguration {
-    let metadataLocation: MetadataLocation
-    let signing: Signing
-
-    enum MetadataLocation {
-        case sourceTree(AbsolutePath)
-        case external(AbsolutePath)
+enum MetadataLocation {
+    case sourceTree(AbsolutePath)
+    case external(AbsolutePath)
 
-        var path: AbsolutePath {
-            switch self {
-            case .sourceTree(let path):
-                return path
-            case .external(let path):
-                return path
-            }
+    var path: AbsolutePath {
+        switch self {
+        case .sourceTree(let path):
+            return path
+        case .external(let path):
+            return path
         }
     }
-
-    struct Signing {
-        let required: Bool
-        let format: SignatureFormat
-        var signingIdentity: String?
-        var privateKeyPath: AbsolutePath?
-        var certificatePath: AbsolutePath?
-    }
-}
-
-extension SignatureFormat: ExpressibleByArgument {
-    public init?(argument: String) {
-        self.init(rawValue: argument.lowercased())
-    }
 }
 
 // TODO: migrate registry client to async