Add signing tool

yim-lee · yim-lee · commit 6d34a73c77ff · 2021-02-22T14:57:22.000-08:00
This is **experimental**!!! Depends on swiftlang/swift-package-manager#3272
diff --git a/Package.swift b/Package.swift
@@ -9,6 +9,8 @@ let package = Package(
     products: [
         .library(name: "PackageCollectionGenerator", targets: ["PackageCollectionGenerator"]),
         .executable(name: "package-collection-generate", targets: ["PackageCollectionGeneratorExecutable"]),
+        .library(name: "PackageCollectionSigner", targets: ["PackageCollectionSigner"]),
+        .executable(name: "package-collection-sign", targets: ["PackageCollectionSignerExecutable"]),
         .library(name: "PackageCollectionValidator", targets: ["PackageCollectionValidator"]),
         .executable(name: "package-collection-validate", targets: ["PackageCollectionValidatorExecutable"]),
         .library(name: "PackageCollectionDiff", targets: ["PackageCollectionDiff"]),
@@ -17,37 +19,44 @@ let package = Package(
     dependencies: [
         .package(url: "https://github.com/apple/swift-argument-parser.git", .upToNextMajor(from: "0.3.0")),
         // FIXME: need semver
-        .package(name: "SwiftPM", url: "https://github.com/apple/swift-package-manager.git", .branch("main")),
+        .package(name: "SwiftPM", url: "https://github.com/yim-lee/swift-package-manager.git", .branch("wire-signing-all")),
     ],
     targets: [
         .target(name: "Utilities", dependencies: [
-            .product(name: "SwiftPMDataModel", package: "SwiftPM"),
+            .product(name: "SwiftPMPackageCollections", package: "SwiftPM"),
         ]),
 
         .target(name: "PackageCollectionGenerator", dependencies: [
             "Utilities",
-            .product(name: "SwiftPMDataModel", package: "SwiftPM"),
+            .product(name: "SwiftPMPackageCollections", package: "SwiftPM"),
             .product(name: "ArgumentParser", package: "swift-argument-parser"),
         ]),
         .target(name: "PackageCollectionGeneratorExecutable", dependencies: ["PackageCollectionGenerator"]),
 
+        .target(name: "PackageCollectionSigner", dependencies: [
+            "Utilities",
+            .product(name: "SwiftPMPackageCollections", package: "SwiftPM"),
+            .product(name: "ArgumentParser", package: "swift-argument-parser"),
+        ]),
+        .target(name: "PackageCollectionSignerExecutable", dependencies: ["PackageCollectionSigner"]),
+
         .target(name: "PackageCollectionValidator", dependencies: [
             "Utilities",
-            .product(name: "SwiftPMDataModel", package: "SwiftPM"),
+            .product(name: "SwiftPMPackageCollections", package: "SwiftPM"),
             .product(name: "ArgumentParser", package: "swift-argument-parser"),
         ]),
         .target(name: "PackageCollectionValidatorExecutable", dependencies: ["PackageCollectionValidator"]),
 
         .target(name: "PackageCollectionDiff", dependencies: [
             "Utilities",
-            .product(name: "SwiftPMDataModel", package: "SwiftPM"),
+            .product(name: "SwiftPMPackageCollections", package: "SwiftPM"),
             .product(name: "ArgumentParser", package: "swift-argument-parser"),
         ]),
         .target(name: "PackageCollectionDiffExecutable", dependencies: ["PackageCollectionDiff"]),
 
         .target(name: "TestUtilities", dependencies: [
             .product(name: "ArgumentParser", package: "swift-argument-parser"),
-            .product(name: "SwiftPMDataModel", package: "SwiftPM"),
+            .product(name: "SwiftPMPackageCollections", package: "SwiftPM"),
         ]),
 
         .testTarget(name: "PackageCollectionGeneratorTests", dependencies: ["PackageCollectionGenerator"]),
@@ -56,6 +65,11 @@ let package = Package(
             "TestUtilities",
         ]),
 
+        .testTarget(name: "PackageCollectionSignerExecutableTests", dependencies: [
+            "PackageCollectionSignerExecutable",
+            "TestUtilities",
+        ]),
+
         .testTarget(name: "PackageCollectionValidatorExecutableTests", dependencies: [
             "PackageCollectionValidatorExecutable",
             "TestUtilities",
diff --git a/Sources/PackageCollectionDiff/PackageCollectionDiff.swift b/Sources/PackageCollectionDiff/PackageCollectionDiff.swift
@@ -14,6 +14,8 @@
 
 import ArgumentParser
 import Foundation
+
+import Basics
 import PackageCollectionsModel
 import TSCBasic
 import Utilities
@@ -41,8 +43,7 @@ public struct PackageCollectionDiff: ParsableCommand {
 
         print("Comparing collections located at \(self.collectionOnePath) and \(self.collectionTwoPath)", inColor: .cyan, verbose: self.verbose)
 
-        let jsonDecoder = JSONDecoder()
-        jsonDecoder.dateDecodingStrategy = .iso8601
+        let jsonDecoder = JSONDecoder.makeWithDefaults()
 
         let collectionOne = try self.parsePackageCollection(at: self.collectionOnePath, using: jsonDecoder)
         let collectionTwo = try self.parsePackageCollection(at: self.collectionTwoPath, using: jsonDecoder)
diff --git a/Sources/PackageCollectionGenerator/Models/PackageCollectionGeneratorInput.swift b/Sources/PackageCollectionGenerator/Models/PackageCollectionGeneratorInput.swift
@@ -13,6 +13,7 @@
 //===----------------------------------------------------------------------===//
 
 import Foundation
+
 import PackageCollectionsModel
 
 /// Input for the `package-collection-generate` command
diff --git a/Sources/PackageCollectionGenerator/Models/PackageManifest.swift b/Sources/PackageCollectionGenerator/Models/PackageManifest.swift
@@ -13,6 +13,7 @@
 //===----------------------------------------------------------------------===//
 
 import Foundation
+
 import PackageModel
 
 // Note: Not using SwiftPM's `PackageModel.Manifest` to avoid issues with
diff --git a/Sources/PackageCollectionGenerator/PackageCollectionGenerate.swift b/Sources/PackageCollectionGenerator/PackageCollectionGenerate.swift
@@ -14,6 +14,8 @@
 
 import ArgumentParser
 import Foundation
+
+import Basics
 import PackageCollectionsModel
 import PackageModel
 import TSCBasic
@@ -58,7 +60,7 @@ public struct PackageCollectionGenerate: ParsableCommand {
         print("Using input file located at \(self.inputPath)", inColor: .cyan, verbose: self.verbose)
 
         // Get the list of packages to process
-        let jsonDecoder = JSONDecoder()
+        let jsonDecoder = JSONDecoder.makeWithDefaults()
         let input = try jsonDecoder.decode(PackageCollectionGeneratorInput.self, from: Data(contentsOf: URL(fileURLWithPath: self.inputPath)))
         print("\(input)", verbose: self.verbose)
 
@@ -85,16 +87,6 @@ public struct PackageCollectionGenerate: ParsableCommand {
             generatedBy: input.author
         )
 
-        let jsonEncoder = JSONEncoder()
-        jsonEncoder.dateEncodingStrategy = .iso8601
-        if #available(macOS 10.15, *) {
-            #if os(macOS)
-            jsonEncoder.outputFormatting = [.sortedKeys, .withoutEscapingSlashes]
-            #else
-            jsonEncoder.outputFormatting = [.sortedKeys]
-            #endif
-        }
-
         // Make sure the output directory exists
         let outputAbsolutePath: AbsolutePath
         do {
@@ -106,6 +98,7 @@ public struct PackageCollectionGenerate: ParsableCommand {
         try localFileSystem.createDirectory(outputDirectory, recursive: true)
 
         // Write the package collection
+        let jsonEncoder = JSONEncoder.makeWithDefaults(prettified: false)
         let jsonData = try jsonEncoder.encode(packageCollection)
         try jsonData.write(to: URL(fileURLWithPath: outputAbsolutePath.pathString))
         print("Package collection saved to \(outputAbsolutePath)", inColor: .cyan, verbose: self.verbose)
diff --git a/Sources/PackageCollectionSigner/PackageCollectionSign.swift b/Sources/PackageCollectionSigner/PackageCollectionSign.swift
@@ -0,0 +1,102 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Swift Package Collection Generator open source project
+//
+// Copyright (c) 2021 Apple Inc. and the Swift Package Collection Generator project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of Swift Package Collection Generator project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import PackageCollectionsSigning
+
+import ArgumentParser
+import Dispatch
+import Foundation
+
+import Basics
+import PackageCollectionsModel
+import PackageCollectionsSigning
+
+import TSCBasic
+import Utilities
+
+public struct PackageCollectionSign: ParsableCommand {
+    public static let configuration = CommandConfiguration(
+        abstract: "Sign a package collection."
+    )
+
+    @Argument(help: "The path to the package collection file to be signed")
+    var inputPath: String
+
+    @Argument(help: "The path to write the signed package collection to")
+    var outputPath: String
+
+    @Argument(help: "The path to certificate's private key (PEM encoded)")
+    var privateKeyPath: String
+
+    @Argument(help: "Paths to all certificates (DER encoded) in the chain. The certificate used for signing must be first and the root certificate last.")
+    var certChainPaths: [String]
+
+    @Flag(name: .long, help: "Show extra logging for debugging purposes")
+    var verbose: Bool = false
+
+    typealias Model = PackageCollectionModel.V1
+
+    public init() {}
+
+    public func run() throws {
+        try self._run(signer: nil)
+    }
+
+    internal func _run(signer: PackageCollectionSigner?) throws {
+        guard !self.certChainPaths.isEmpty else {
+            printError("Certificate chain cannot be empty")
+            throw PackageCollectionSigningError.emptyCertChain
+        }
+
+        Process.verbose = self.verbose
+
+        print("Signing package collection located at \(self.inputPath)", inColor: .cyan, verbose: self.verbose)
+
+        let jsonDecoder = JSONDecoder.makeWithDefaults()
+        let collection = try jsonDecoder.decode(Model.Collection.self, from: Data(contentsOf: URL(fileURLWithPath: self.inputPath)))
+
+        let privateKeyURL = URL(fileURLWithPath: self.privateKeyPath)
+        let certChainURLs = self.certChainPaths.map(URL.init(fileURLWithPath:))
+
+        try withTemporaryDirectory(removeTreeOnDeinit: true) { tmpDir in
+            // The last item in the array is the root certificate and we want to trust it, so here we
+            // create a temp directory, copy the root certificate to it, and make it the trustedRootCertsDir.
+            let rootCertPath = AbsolutePath(certChainPaths.last!) // !-safe since certChain cannot be empty at this point
+            let rootCertFilename = rootCertPath.components.last!
+            try localFileSystem.copy(from: rootCertPath, to: tmpDir.appending(component: rootCertFilename))
+
+            // Sign the collection
+            let signer = signer ?? PackageCollectionSigning(trustedRootCertsDir: tmpDir.asURL, callbackQueue: DispatchQueue.global(), diagnosticsEngine: DiagnosticsEngine())
+            let signedCollection = try tsc_await { callback in
+                signer.sign(collection: collection, certChainPaths: certChainURLs, certPrivateKeyPath: privateKeyURL, certPolicyKey: .default, callback: callback)
+            }
+
+            // Make sure the output directory exists
+            let outputAbsolutePath: AbsolutePath
+            do {
+                outputAbsolutePath = try AbsolutePath(validating: self.outputPath)
+            } catch {
+                outputAbsolutePath = AbsolutePath(self.outputPath, relativeTo: AbsolutePath(FileManager.default.currentDirectoryPath))
+            }
+            let outputDirectory = outputAbsolutePath.parentDirectory
+            try localFileSystem.createDirectory(outputDirectory, recursive: true)
+
+            // Write the signed collection
+            let jsonEncoder = JSONEncoder.makeWithDefaults(prettified: false)
+            let jsonData = try jsonEncoder.encode(signedCollection)
+            try jsonData.write(to: URL(fileURLWithPath: outputAbsolutePath.pathString))
+            print("Signed package collection saved to \(outputAbsolutePath)", inColor: .cyan, verbose: self.verbose)
+        }
+    }
+}
diff --git a/Sources/PackageCollectionSigner/README.md b/Sources/PackageCollectionSigner/README.md
@@ -0,0 +1,31 @@
+# Package Collection Signer
+
+This tool is used for signing a package collection.
+
+```
+> swift run package-collection-sign --help
+OVERVIEW: Sign a package collection.
+
+USAGE: package-collection-sign <input-path> <output-path> <private-key-path> [<cert-chain-paths> ...] [--verbose]
+
+ARGUMENTS:
+  <input-path>            The path to the package collection file to be signed
+  <output-path>           The path to write the signed package collection to
+  <private-key-path>      The path to certificate's private key (PEM encoded)
+  <cert-chain-paths>      Paths to all certificates (DER encoded) in the chain. The certificate used for signing must be first and the root
+                          certificate last.
+
+OPTIONS:
+  --verbose               Show extra logging for debugging purposes
+  -h, --help              Show help information.
+```
+
+### Sample Usage
+
+```
+> swift run package-collection-sign \
+    my-collection.json \
+    my-signed-collection.json \
+    priivate-key.pem \
+    certificate.cer intermediate_ca.cer root_ca.cer
+```
diff --git a/Sources/PackageCollectionSignerExecutable/main.swift b/Sources/PackageCollectionSignerExecutable/main.swift
@@ -0,0 +1,17 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Swift Package Collection Generator open source project
+//
+// Copyright (c) 2020 Apple Inc. and the Swift Package Collection Generator project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of Swift Package Collection Generator project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import PackageCollectionSigner
+
+PackageCollectionSign.main()
diff --git a/Sources/PackageCollectionValidator/PackageCollectionValidate.swift b/Sources/PackageCollectionValidator/PackageCollectionValidate.swift
@@ -14,6 +14,8 @@
 
 import ArgumentParser
 import Foundation
+
+import Basics
 import enum PackageCollections.ValidationError
 import struct PackageCollections.ValidationMessage
 import enum PackageCollectionsModel.PackageCollectionModel
@@ -45,8 +47,7 @@ public struct PackageCollectionValidate: ParsableCommand {
 
         let validator = Model.Validator()
 
-        let jsonDecoder = JSONDecoder()
-        jsonDecoder.dateDecodingStrategy = .iso8601
+        let jsonDecoder = JSONDecoder.makeWithDefaults()
 
         let collection: Model.Collection
         do {
diff --git a/Tests/PackageCollectionDiffExecutableTests/PackageCollectionDiffTests.swift b/Tests/PackageCollectionDiffExecutableTests/PackageCollectionDiffTests.swift
@@ -12,10 +12,11 @@
 //
 //===----------------------------------------------------------------------===//
 
+import XCTest
+
 @testable import PackageCollectionDiff
 @testable import TestUtilities
 import TSCBasic
-import XCTest
 
 final class PackageCollectionDiffTests: XCTestCase {
     func test_help() throws {
diff --git a/Tests/PackageCollectionGeneratorExecutableTests/PackageCollectionGenerateTests.swift b/Tests/PackageCollectionGeneratorExecutableTests/PackageCollectionGenerateTests.swift
@@ -13,12 +13,14 @@
 //===----------------------------------------------------------------------===//
 
 import Foundation
+import XCTest
+
+import Basics
 @testable import PackageCollectionGenerator
 import PackageCollectionsModel
 @testable import TestUtilities
 import TSCBasic
 import TSCUtility
-import XCTest
 
 final class PackageCollectionGenerateTests: XCTestCase {
     typealias Model = PackageCollectionModel.V1
@@ -42,15 +44,6 @@ final class PackageCollectionGenerateTests: XCTestCase {
             let repoThreeArchivePath = AbsolutePath(#file).parentDirectory.appending(components: "Inputs", "TestRepoThree.tgz")
             try systemQuietly(["tar", "-x", "-v", "-C", tmpDir.pathString, "-f", repoThreeArchivePath.pathString])
 
-            let jsonEncoder = JSONEncoder()
-            if #available(macOS 10.15, *) {
-                #if os(macOS)
-                jsonEncoder.outputFormatting = [.withoutEscapingSlashes]
-                #else
-                jsonEncoder.outputFormatting = [.sortedKeys]
-                #endif
-            }
-
             // Prepare input.json
             let input = PackageCollectionGeneratorInput(
                 name: "Test Package Collection",
@@ -72,6 +65,7 @@ final class PackageCollectionGenerateTests: XCTestCase {
                     ),
                 ]
             )
+            let jsonEncoder = JSONEncoder.makeWithDefaults()
             let inputData = try jsonEncoder.encode(input)
             let inputFilePath = tmpDir.appending(component: "input.json")
             try localFileSystem.writeFileContents(inputFilePath, bytes: ByteString(inputData))
@@ -194,8 +188,7 @@ final class PackageCollectionGenerateTests: XCTestCase {
                 ),
             ]
 
-            let jsonDecoder = JSONDecoder()
-            jsonDecoder.dateDecodingStrategy = .iso8601
+            let jsonDecoder = JSONDecoder.makeWithDefaults()
 
             // Assert the generated package collection
             let collectionData = try localFileSystem.readFileContents(outputFilePath).contents
diff --git a/Tests/PackageCollectionGeneratorTests/PackageCollectionGeneratorInputTests.swift b/Tests/PackageCollectionGeneratorTests/PackageCollectionGeneratorInputTests.swift
@@ -13,10 +13,10 @@
 //===----------------------------------------------------------------------===//
 
 import Foundation
-import TSCBasic
 import XCTest
 
 @testable import PackageCollectionGenerator
+import TSCBasic
 
 class PackageCollectionGeneratorInputTests: XCTestCase {
     func testLoadFromFile() throws {
diff --git a/Tests/PackageCollectionSignerExecutableTests/Inputs/Test_ec.cer b/Tests/PackageCollectionSignerExecutableTests/Inputs/Test_ec.cer
diff --git a/Tests/PackageCollectionSignerExecutableTests/Inputs/Test_ec_key.pem b/Tests/PackageCollectionSignerExecutableTests/Inputs/Test_ec_key.pem
diff --git a/Tests/PackageCollectionSignerExecutableTests/Inputs/test.json b/Tests/PackageCollectionSignerExecutableTests/Inputs/test.json
diff --git a/Tests/PackageCollectionSignerExecutableTests/PackageCollectionSignTests.swift b/Tests/PackageCollectionSignerExecutableTests/PackageCollectionSignTests.swift
diff --git a/Tests/PackageCollectionValidatorExecutableTests/PackageCollectionValidateTests.swift b/Tests/PackageCollectionValidatorExecutableTests/PackageCollectionValidateTests.swift
diff --git a/docker/docker-compose.1804.54.yaml b/docker/docker-compose.1804.54.yaml
