Rewrite PackageCollectionsSigning using swift-certificates #6468
Conversation
yim-lee
requested review from
abertelrud,
neonichu,
tomerd and
MaxDesiatov
as code owners
| case appleSwiftPackageCollection(subjectUserID: String? = nil, subjectOrganizationalUnit: String? = nil) | ||
|
|
||
| @available(*, deprecated, message: "use `appleSwiftPackageCollection` instead") | ||
| case appleDistribution(subjectUserID: String? = nil, subjectOrganizationalUnit: String? = nil) |
| } | ||
|
|
||
| Task { | ||
| var trustStore = CertificateStores.defaultTrustRoots |
There was a problem hiding this comment.
A major change in the new implementation is that we no longer use the system trust store (we used to on Darwin platforms through the Security framework) and SwiftPM will its own default trust store instead.
There was a problem hiding this comment.
Both this and PackageSigning require the same resources. Would it make sense to have a shared resource-only module?
yim-lee
force-pushed
the
collections-signing
branch
from
f3b0bdc to
6a2c60d
Compare
|
@swift-ci please test Windows platform |
| /** Package collections signing C lib */ | ||
| name: "PackageCollectionsSigningLibc", | ||
| dependencies: [ | ||
| .product(name: "Crypto", package: "swift-crypto"), // for CCryptoBoringSSL |
There was a problem hiding this comment.
done still need the dependency on swift-crypto?
There was a problem hiding this comment.
Yes, we still need it for keys and signing.
yim-lee
force-pushed
the
collections-signing
branch
from
7362c2a to
9702079
Compare
yim-lee
force-pushed
the
collections-signing
branch
from
9702079 to
b029026
Compare
|
Figured it out. Moving this out of Draft. |
Motivation: `PackageCollectionsSigning` was written before `swift-certificates` and `swift-asn1` were available. The implementation relied on BoringSSL C library via `CCryptoBoringSSL`, which is not meant to be used outside of `swift-crypto` because it introduces Swift-breaking changes often (as SwiftPM had experienced with version `2.4.1`). Modifications: - Rewrite `PackageCollectionsSigning` using `swift-certificates` and `swift-asn1` so we can remove `CCryptoBoringSSL` dependency. - `PackageCollectionsSigningLibC`, which contains SwiftPM's implementation of OCSP, is no longer needed and removed in this PR.
yim-lee
force-pushed
the
collections-signing
branch
from
b029026 to
63ca5f0
Compare
|
@swift-ci please smoke test |
|
@swift-ci please test Windows platform |
Motivation:
PackageCollectionsSigningwas written beforeswift-certificatesandswift-asn1were available. The implementation relied on BoringSSL C library viaCCryptoBoringSSL, which is not meant to be used outside ofswift-cryptobecause it introduces Swift-breaking changes often (as SwiftPM had experienced with version2.4.1).Modifications:
PackageCollectionsSigningusingswift-certificatesandswift-asn1so we can removeCCryptoBoringSSLdependency.PackageCollectionsSigningLibC, which contains SwiftPM's implementation of OCSP, is no longer needed and removed in this PR.