Signing of the prebuilts manifest file. (#8284)

To ensure confidence that the manifest file and zip files are the ones
that were published, we use checksums for the zip files which are listed
in the manifest file. We now add signing for the manifest file to ensure
it isn't compromised. We use the same scheme as we used for package
collections where a signature is generated for the core manifest data
and then injected into the JSON file at the top level.

Note that we are adding the ManifestSigning to the Workspace module with
the eventual intention of making this a module we can reuse with package
collections once we forward port to main. We don't want to make changes
to the package collections on the 6.1 branch.

Also added a quick fix to the host platform computation that was causing
compile errors if not the two major ones (i.e. 32-bit Android ARM
hosts).

Author: dschaefer2

Sources/Basics/FileSystem/FileSystem+Extensions.swift

@@ -677,3 +677,17 @@ extension FileSystem {
         }
     }
 }
+
+extension FileSystem {
+    /// Do a deep enumeration, passing each file to block
+    public func enumerate(directory: AbsolutePath, block: (AbsolutePath) throws -> ()) throws {
+        for file in try getDirectoryContents(directory) {
+            let path = directory.appending(file)
+            if isDirectory(path) {
+                try enumerate(directory: path, block: block)
+            } else {
+                try block(path)
+            }
+        }
+    }
+}

Sources/CoreCommands/Options.swift

@@ -201,6 +201,12 @@ public struct CachingOptions: ParsableArguments {
         help: .hidden
     )
     public var prebuiltsDownloadURL: String?
+
+    @Option(
+        name: .customLong("experimental-prebuilts-root-cert"),
+        help: .hidden
+    )
+    public var prebuiltsRootCertPath: String?
 }
 
 public struct LoggingOptions: ParsableArguments {

Sources/CoreCommands/SwiftCommandState.swift

@@ -473,7 +473,8 @@ public final class SwiftCommandState {
                 },
                 manifestImportRestrictions: .none,
                 usePrebuilts: options.caching.usePrebuilts,
-                prebuiltsDownloadURL: options.caching.prebuiltsDownloadURL
+                prebuiltsDownloadURL: options.caching.prebuiltsDownloadURL,
+                prebuiltsRootCertPath: options.caching.prebuiltsRootCertPath
             ),
             cancellator: self.cancellator,
             initializationWarningHandler: { self.observabilityScope.emit(warning: $0) },

Sources/Workspace/CMakeLists.txt

@@ -14,6 +14,13 @@ add_library(Workspace
   ManagedArtifact.swift
   ManagedDependency.swift
   ManagedPrebuilt.swift
+  ManifestSigning/Base64URL.swift
+  ManifestSigning/CertificatePolicy.swift
+  ManifestSigning/embedded_resources.swift
+  ManifestSigning/ManifestSigning.swift
+  ManifestSigning/Signature.swift
+  ManifestSigning/Utilities.swift
+  ManifestSigning/X509Extensions.swift
   PackageContainer/FileSystemPackageContainer.swift
   PackageContainer/RegistryPackageContainer.swift
   PackageContainer/SourceControlPackageContainer.swift

Sources/Workspace/ManifestSigning/Base64URL.swift

@@ -0,0 +1,76 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Swift open source project
+//
+// Copyright (c) 2021-2023 Apple Inc. and the Swift project authors
+// Licensed under Apache License v2.0 with Runtime Library Exception
+//
+// See http://swift.org/LICENSE.txt for license information
+// See http://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
+//
+//===----------------------------------------------------------------------===//
+
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Vapor open source project
+//
+// Copyright (c) 2017-2020 Vapor project authors
+// Licensed under MIT
+//
+// See LICENSE for license information
+//
+// SPDX-License-Identifier: MIT
+//
+//===----------------------------------------------------------------------===//
+
+import Foundation
+
+// Source: https://github.com/vapor/jwt-kit/blob/master/Sources/JWTKit/Utilities/Base64URL.swift
+
+extension DataProtocol {
+    func base64URLDecodedBytes() -> Data? {
+        var data = Data(self)
+        data.base64URLUnescape()
+        return Data(base64Encoded: data)
+    }
+
+    func base64URLEncodedBytes() -> Data {
+        var data = Data(self).base64EncodedData()
+        data.base64URLEscape()
+        return data
+    }
+}
+
+extension Data {
+    /// Converts base64-url encoded data to a base64 encoded data.
+    ///
+    /// https://tools.ietf.org/html/rfc4648#page-7
+    mutating func base64URLUnescape() {
+        for i in 0 ..< self.count {
+            switch self[i] {
+            case 0x2D: self[self.index(self.startIndex, offsetBy: i)] = 0x2B
+            case 0x5F: self[self.index(self.startIndex, offsetBy: i)] = 0x2F
+            default: break
+            }
+        }
+        /// https://stackoverflow.com/questions/43499651/decode-base64url-to-base64-swift
+        let padding = count % 4
+        if padding > 0 {
+            self += Data(repeating: 0x3D, count: 4 - padding)
+        }
+    }
+
+    /// Converts base64 encoded data to a base64-url encoded data.
+    ///
+    /// https://tools.ietf.org/html/rfc4648#page-7
+    mutating func base64URLEscape() {
+        for i in 0 ..< self.count {
+            switch self[i] {
+            case 0x2B: self[self.index(self.startIndex, offsetBy: i)] = 0x2D
+            case 0x2F: self[self.index(self.startIndex, offsetBy: i)] = 0x5F
+            default: break
+            }
+        }
+        self = split(separator: 0x3D).first ?? .init()
+    }
+}