[6.0] Implement --checksum option on swift sdk install (#7723)

Cherry-pick of
#7722.

**Explanation**: This option [was specified in the corresponding
proposal for Swift
SDKs](https://github.com/swiftlang/swift-evolution/blob/main/proposals/0387-cross-compilation-destinations.md#swift-sdk-installation-and-configuration):

> For Swift SDKs installed from remote URLs an additional `--checksum`
option is required, through which users of a Swift SDK can specify a
checksum provided by a publisher of the SDK. The latter can produce a
checksum by running `swift package compute-checksum command` (introduced
in
[SE-0272](https://github.com/swiftlang/swift-evolution/blob/main/proposals/0272-swiftpm-binary-dependencies.md))
with the Swift SDK bundle archive as an argument.

**Scope**: the change is isolated to `swift sdk install` and `swift
package compute-checksum` subcommands.
**Risk**: low due to isolation to only two rarely used subcommands with
corresponding automated test cases provided.
**Testing**: updated existing test cases.
**Issue**: rdar://130590711
**Reviewer**: @bnbarham

Author: MaxDesiatov

Sources/Basics/Archiver/Archiver.swift

@@ -11,6 +11,7 @@
 //===----------------------------------------------------------------------===//
 
 import _Concurrency
+import struct Foundation.URL
 
 /// The `Archiver` protocol abstracts away the different operations surrounding archives.
 public protocol Archiver: Sendable {

Sources/PackageModel/SwiftSDKs/SwiftSDK.swift

@@ -25,6 +25,12 @@ public enum SwiftSDKError: Swift.Error {
     /// A passed argument is neither a valid file system path nor a URL.
     case invalidPathOrURL(String)
 
+    ///  Bundles installed from remote URLs require a checksum to be provided.
+    case checksumNotProvided(URL)
+
+    /// Computed archive checksum does not match the provided checksum.
+    case checksumInvalid(computed: String, provided: String)
+
     /// Couldn't find the Xcode installation.
     case invalidInstallation(String)
 
@@ -64,6 +70,17 @@ public enum SwiftSDKError: Swift.Error {
 extension SwiftSDKError: CustomStringConvertible {
     public var description: String {
         switch self {
+        case let .checksumInvalid(computed, provided):
+            return """
+            Computed archive checksum `\(computed)` does not match the provided checksum `\(provided)`.
+            """
+
+        case .checksumNotProvided(let url):
+            return """
+            Bundles installed from remote URLs (`\(url)`) require their checksum passed via `--checksum` option.
+            The distributor of the bundle must compute it with the `swift package compute-checksum` \
+            command and provide it with their Swift SDK installation instructions.
+            """
         case .invalidBundleArchive(let archivePath):
             return """
             Swift SDK archive at `\(archivePath)` does not contain at least one directory with the \

Sources/PackageModel/SwiftSDKs/SwiftSDKBundleStore.swift

@@ -22,6 +22,8 @@ public final class SwiftSDKBundleStore {
     public enum Output: Equatable, CustomStringConvertible {
         case downloadStarted(URL)
         case downloadFinishedSuccessfully(URL)
+        case verifyingChecksum
+        case checksumValid
         case unpackingArchive(bundlePathOrURL: String)
         case installationSuccessful(bundlePathOrURL: String, bundleName: String)
 
@@ -31,6 +33,10 @@ public final class SwiftSDKBundleStore {
                 return "Downloading a Swift SDK bundle archive from `\(url)`..."
             case let .downloadFinishedSuccessfully(url):
                 return "Swift SDK bundle archive successfully downloaded from `\(url)`."
+            case .verifyingChecksum:
+                return "Verifying if checksum of the downloaded archive is valid..."
+            case .checksumValid:
+                return "Downloaded archive has a valid checksum."
             case let .installationSuccessful(bundlePathOrURL, bundleName):
                 return "Swift SDK bundle at `\(bundlePathOrURL)` successfully installed as \(bundleName)."
             case let .unpackingArchive(bundlePathOrURL):
@@ -145,8 +151,10 @@ public final class SwiftSDKBundleStore {
     ///   - archiver: Archiver instance to use for extracting bundle archives.
     public func install(
         bundlePathOrURL: String,
+        checksum: String? = nil,
         _ archiver: any Archiver,
-        _ httpClient: HTTPClient = .init()
+        _ httpClient: HTTPClient = .init(),
+        hasher: ((_ archivePath: AbsolutePath) throws -> String)? = nil
     ) async throws {
         let bundleName = try await withTemporaryDirectory(fileSystem: self.fileSystem, removeTreeOnDeinit: true) { temporaryDirectory in
             let bundlePath: AbsolutePath
@@ -156,9 +164,13 @@ public final class SwiftSDKBundleStore {
                 let scheme = bundleURL.scheme,
                 scheme == "http" || scheme == "https"
             {
+                guard let checksum, let hasher else {
+                    throw SwiftSDKError.checksumNotProvided(bundleURL)
+                }
+
                 let bundleName: String
                 let fileNameComponent = bundleURL.lastPathComponent
-                if archiver.supportedExtensions.contains(where: { fileNameComponent.hasSuffix($0) }) {
+                if archiver.isFileSupported(fileNameComponent) {
                     bundleName = fileNameComponent
                 } else {
                     // Assume that the bundle is a tarball if it doesn't have a recognized extension.
@@ -193,9 +205,16 @@ public final class SwiftSDKBundleStore {
                 )
                 self.downloadProgressAnimation?.complete(success: true)
 
-                bundlePath = downloadedBundlePath
-
                 self.outputHandler(.downloadFinishedSuccessfully(bundleURL))
+
+                self.outputHandler(.verifyingChecksum)
+                let computedChecksum = try hasher(downloadedBundlePath)
+                guard computedChecksum == checksum else {
+                    throw SwiftSDKError.checksumInvalid(computed: computedChecksum, provided: checksum)
+                }
+                self.outputHandler(.checksumValid)
+
+                bundlePath = downloadedBundlePath
             } else if
                 let cwd: AbsolutePath = self.fileSystem.currentWorkingDirectory,
                 let originalBundlePath = try? AbsolutePath(validating: bundlePathOrURL, relativeTo: cwd)

Sources/SwiftSDKCommand/Configuration/DeprecatedSwiftSDKConfigurationCommand.swift

@@ -14,8 +14,8 @@ import ArgumentParser
 import Basics
 import PackageModel
 
-public struct DeprecatedSwiftSDKConfigurationCommand: ParsableCommand {
-    public static let configuration = CommandConfiguration(
+package struct DeprecatedSwiftSDKConfigurationCommand: ParsableCommand {
+    package static let configuration = CommandConfiguration(
         commandName: "configuration",
         abstract: """
         Deprecated: use `swift sdk configure` instead.
@@ -29,5 +29,5 @@ public struct DeprecatedSwiftSDKConfigurationCommand: ParsableCommand {
         ]
     )
 
-    public init() {}
+    package init() {}
 }

Sources/SwiftSDKCommand/InstallSwiftSDK.swift

@@ -17,10 +17,11 @@ import CoreCommands
 import Foundation
 import PackageModel
 
+import class Workspace.Workspace
 import var TSCBasic.stdoutStream
 
-public struct InstallSwiftSDK: SwiftSDKSubcommand {
-    public static let configuration = CommandConfiguration(
+struct InstallSwiftSDK: SwiftSDKSubcommand {
+    static let configuration = CommandConfiguration(
         commandName: "install",
         abstract: """
         Installs a given Swift SDK bundle to a location discoverable by SwiftPM. If the artifact bundle \
@@ -34,8 +35,8 @@ public struct InstallSwiftSDK: SwiftSDKSubcommand {
     @Argument(help: "A local filesystem path or a URL of a Swift SDK bundle to install.")
     var bundlePathOrURL: String
 
-
-    public init() {}
+    @Option(help: "The checksum of the bundle generated with `swift package compute-checksum`.")
+    var checksum: String? = nil
 
     func run(
         hostTriple: Triple,
@@ -54,10 +55,18 @@ public struct InstallSwiftSDK: SwiftSDKSubcommand {
                 .percent(stream: stdoutStream, verbose: false, header: "Downloading")
                 .throttled(interval: .milliseconds(300))
         )
+
         try await store.install(
             bundlePathOrURL: bundlePathOrURL,
+            checksum: self.checksum,
             UniversalArchiver(self.fileSystem, cancellator),
-            HTTPClient()
+            HTTPClient(),
+            hasher: {
+                try Workspace.BinaryArtifactsManager.checksum(
+                    forBinaryArtifactAt: $0,
+                    fileSystem: self.fileSystem
+                )
+            }
         )
     }
 }

Sources/SwiftSDKCommand/ListSwiftSDKs.swift

@@ -16,8 +16,8 @@ import CoreCommands
 import PackageModel
 import SPMBuildCore
 
-public struct ListSwiftSDKs: SwiftSDKSubcommand {
-    public static let configuration = CommandConfiguration(
+package struct ListSwiftSDKs: SwiftSDKSubcommand {
+    package static let configuration = CommandConfiguration(
         commandName: "list",
         abstract:
         """
@@ -28,7 +28,7 @@ public struct ListSwiftSDKs: SwiftSDKSubcommand {
     @OptionGroup()
     var locations: LocationOptions
 
-    public init() {}
+    package init() {}
 
     func run(
         hostTriple: Triple,

Sources/SwiftSDKCommand/RemoveSwiftSDK.swift

@@ -15,8 +15,8 @@ import Basics
 import CoreCommands
 import PackageModel
 
-public struct RemoveSwiftSDK: SwiftSDKSubcommand {
-    public static let configuration = CommandConfiguration(
+package struct RemoveSwiftSDK: SwiftSDKSubcommand {
+    package static let configuration = CommandConfiguration(
         commandName: "remove",
         abstract: """
         Removes a previously installed Swift SDK bundle from the filesystem.

Sources/SwiftSDKCommand/SwiftSDKCommand.swift

@@ -12,9 +12,9 @@
 
 import ArgumentParser
 import Basics
-
-public struct SwiftSDKCommand: AsyncParsableCommand {
-    public static let configuration = CommandConfiguration(
+    
+package struct SwiftSDKCommand: AsyncParsableCommand {
+    package static let configuration = CommandConfiguration(
         commandName: "sdk",
         _superCommandName: "swift",
         abstract: "Perform operations on Swift SDKs.",
@@ -29,5 +29,5 @@ public struct SwiftSDKCommand: AsyncParsableCommand {
         helpNames: [.short, .long, .customLong("help", withSingleDash: true)]
     )
 
-    public init() {}
+    package init() {}
 }

Tests/PackageModelTests/SwiftSDKBundleTests.swift

@@ -19,6 +19,7 @@ import XCTest
 import struct TSCBasic.ByteString
 import protocol TSCBasic.FileSystem
 import class TSCBasic.InMemoryFileSystem
+import class Workspace.Workspace
 
 private let testArtifactID = "test-artifact"
 
@@ -146,13 +147,13 @@ final class SwiftSDKBundleTests: XCTestCase {
         let cancellator = Cancellator(observabilityScope: observabilityScope)
         let archiver = UniversalArchiver(localFileSystem, cancellator)
 
-        let fixtureAndURLs: [(url: String, fixture: String)] = [
-            ("https://localhost/archive?test=foo", "test-sdk.artifactbundle.tar.gz"),
-            ("https://localhost/archive.tar.gz", "test-sdk.artifactbundle.tar.gz"),
-            ("https://localhost/archive.zip", "test-sdk.artifactbundle.zip"),
+        let fixtureAndURLs: [(url: String, fixture: String, checksum: String)] = [
+            ("https://localhost/archive?test=foo", "test-sdk.artifactbundle.tar.gz", "724b5abf125287517dbc5be9add055d4755dfca679e163b249ea1045f5800c6e"),
+            ("https://localhost/archive.tar.gz", "test-sdk.artifactbundle.tar.gz", "724b5abf125287517dbc5be9add055d4755dfca679e163b249ea1045f5800c6e"),
+            ("https://localhost/archive.zip", "test-sdk.artifactbundle.zip", "74f6df5aa91c582c12e3a6670ff95973e463dd3266aabbc52ad13c3cd27e2793"),
         ]
 
-        for (bundleURLString, fixture) in fixtureAndURLs {
+        for (bundleURLString, fixture, checksum) in fixtureAndURLs {
             let httpClient = HTTPClient { request, _ in
                 guard case let .download(_, downloadPath) = request.kind else {
                     XCTFail("Unexpected HTTPClient.Request.Kind")
@@ -173,12 +174,16 @@ final class SwiftSDKBundleTests: XCTestCase {
                         output.append($0)
                     }
                 )
-                try await store.install(bundlePathOrURL: bundleURLString, archiver, httpClient)
+                try await store.install(bundlePathOrURL: bundleURLString, checksum: checksum, archiver, httpClient) {
+                    try Workspace.BinaryArtifactsManager.checksum(forBinaryArtifactAt: $0, fileSystem: localFileSystem)
+                }
 
                 let bundleURL = URL(string: bundleURLString)!
                 XCTAssertEqual(output, [
                     .downloadStarted(bundleURL),
                     .downloadFinishedSuccessfully(bundleURL),
+                    .verifyingChecksum,
+                    .checksumValid,
                     .unpackingArchive(bundlePathOrURL: bundleURLString),
                     .installationSuccessful(
                         bundlePathOrURL: bundleURLString,