Skip to content

[feature] Improve package signing plugin integration: new commands, tools and output format #18785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
danimtb wants to merge 41 commits into from
Closed

[feature] Improve package signing plugin integration: new commands, tools and output format #18785

danimtb wants to merge 41 commits into from

Conversation

@danimtb
Copy link
Member

@danimtb danimtb commented Aug 15, 2025
edited
Loading

Changelog: Feature: Improve package signing plugin integration.
Changelog: Feature: Add conan cache sign and conan cache verify commands for package signing.
Changelog Feature: Standardize package summary format with files, checksums, signing method and signing provider.
Docs: missing

  • Added new commands for sign and verify.
  • Added text and json format output.
  • Manage errors and messages (warnings too) for the report.
  • Added context parameter to decide the behavior of the plugin when uploading, installing or just managing the signatures from the cache.
  • Added tools to create a package summary json file wtih files, checkusms, signing methof and signing provider.
  • Managed output with package lists.
  • Error management in the upload command when signing packages.

@danimtb danimtb mentioned this pull request Aug 15, 2025
Closed
@danimtb danimtb marked this pull request as ready for review November 11, 2025 15:48
AbrilRBS
AbrilRBS reviewed Nov 11, 2025
View reviewed changes
danimtb
danimtb commented Nov 12, 2025
View reviewed changes
danimtb
danimtb commented Nov 12, 2025
View reviewed changes
memsharded
memsharded reviewed Nov 12, 2025
View reviewed changes
conan/internal/rest/pkg_sign.py Outdated
Comment on lines 43 to 48
file_path = os.path.join(self._artifacts_folder, fname)
if os.path.isfile(file_path):
sha256 = sha256sum(file_path)
checksums[fname] = sha256
sorted_checksums = dict(sorted(checksums.items()))
content = copy.deepcopy(self.SIGN_SUMMARY_CONTENT)
Copy link
Member

@memsharded memsharded Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is doing a checksum of all artifacts in the package?
What exactly for?

Copy link
Member Author

@danimtb danimtb Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We agreed that this should be the way the plugin should work. Get the cheksums of all the contetns of the package, create a summary file with filenames and checkesums and use that file to sign the package

Copy link
Member

@memsharded memsharded Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But maybe, this is the kind of thing that shouldn't belong then to user space? This is something that Conan should kind of enforce in the plugin? Or do we still envision other possible signing approaches that do not sign this file?

@czoido
Copy link
Contributor

czoido commented Nov 13, 2025
edited
Loading

@danimtb what about something like this for the output? I think it may be more readable?
In the first one I also added the # for the rrev and the : for the package id but I think that they are not adding much? The others don't have that notation.

$ conan cache sign *

Found 3 pkg/version recipes matching * in local cache

[Package signing] Signing packages in local cache...

lib1ok/0.1
  #a5e2af5522a1edcab963447eec649700
  recipe: OK
  packages
    :da39a3ee5e6b4b0d3255bfef95601890: OK

lib2fail/0.1
  #70a185be5a95af3dde25b74ae800b2f2
  recipe: WARN (already signed by another provider)
  packages
    :da39a3ee5e6b4b0d3255bfef95601890: WARN (already signed by another provider)

lib3fail/0.1
  #09ccc766ddd11c96aa78307b3f166fd6
  recipe: FAIL (sign failed)
  packages
    :da39a3ee5e6b4b0d3255bfef95601890: FAIL (sign failed)

[Package signing] Summary: OK=3, WARN=2, FAILED=2


$ conan cache verify *

Found 3 pkg/version recipes matching * in local cache

[Package signing] Verifying signatures in local cache...

lib1ok/0.1
  a5e2af5522a1edcab963447eec649700
  recipe: OK
  packages
    da39a3ee5e6b4b0d3255bfef95601890: OK

lib2fail/0.1
  70a185be5a95af3dde25b74ae800b2f2
  recipe: FAIL (wrong provider)
  packages
    da39a3ee5e6b4b0d3255bfef95601890: FAIL (wrong provider)
    da39agfffg34234ff22424f4490fef95: OK
    4b0d3255bfef9560189da39a3ee5e6b0: FAIL (wrong provider)

lib3fail/0.1
  09ccc766ddd11c96aa78307b3f166fd6
  recipe: FAIL (Package is not signed)
  packages
    da39a3ee5e6b4b0d3255bfef95601890: FAIL (Package is not signed)

[Package signing] Summary: OK=3, WARN=0, FAILED=5

$ conan upload * -c -r default

Found 3 pkg/version recipes matching * in local cache

======== Uploading to remote default ========

-------- Checking server for existing packages --------
lib1ok/0.1: Checking which revisions exist in the remote server
lib2fail/0.1: Checking which revisions exist in the remote server
lib3fail/0.1: Checking which revisions exist in the remote server

-------- Preparing artifacts for upload --------
lib1ok/0.1:da39a3ee5e6b4b0d3255bfef95601890: Compressing conan_package.tgz
lib2fail/0.1:da39a3ee5e6b4b0d3255bfef95601890: Compressing conan_package.tgz
lib3fail/0.1:da39a3ee5e6b4b0d3255bfef95601890: Compressing conan_package.tgz

[Package signing] Signing packages before upload...

lib1ok/0.1
  a5e2af5522a1edcab963447eec649700
  recipe: OK (already signed by the same provider)
  packages
    da39a3ee5e6b4b0d3255bfef95601890: OK (already signed by the same provider)

lib2fail/0.1
  70a185be5a95af3dde25b74ae800b2f2
  recipe: WARN (already signed by another provider)
  packages
    da39a3ee5e6b4b0d3255bfef95601890: WARN (already signed by another provider)

lib3fail/0.1
  09ccc766ddd11c96aa78307b3f166fd6
  recipe: FAIL (sign failed)
  packages
    da39a3ee5e6b4b0d3255bfef95601890: FAIL (sign failed)

[Package signing] Summary: OK=3, WARN=2, FAILED=2

ERROR: Upload aborted: package signing failed
  lib3fail/0.1#09ccc766ddd11c96aa78307b3f166fd6
    reason: sign failed

czoido
czoido reviewed Nov 13, 2025
View reviewed changes
czoido
czoido reviewed Nov 18, 2025
View reviewed changes
czoido
czoido reviewed Nov 18, 2025
View reviewed changes
czoido
czoido reviewed Nov 18, 2025
View reviewed changes
czoido
czoido reviewed Nov 18, 2025
View reviewed changes
danimtb and others added 18 commits November 19, 2025 15:30
@danimtb
add fixme
d23091e
@danimtb
Merge branch 'develop2' of github.com:conan-io/conan into feature/imp…
bc159a4 
…rove_pkg-sign
@danimtb
manage error output
4c584b7
@danimtb
save pkg sign to deps graph node
e0aacce
@danimtb
cache sign preparator and install output
7ae2c58
@danimtb
install output fix
d7478ea
@danimtb
fix output
5da4d71
@danimtb
fix
207bdc9
@danimtb
fixes
aa0a89e
@danimtb
fix
4c9b4b4
@danimtb
more
bd4954a
@danimtb @czoido
Update conan/tools/pkg_signing/plugin.py
cc20934 
Co-authored-by: Carlos Zoido <mrgalleta@gmail.com>
@danimtb @czoido
Update conan/tools/pkg_signing/plugin.py
c78b2e4 
Co-authored-by: Carlos Zoido <mrgalleta@gmail.com>
@danimtb @czoido
Update conan/cli/commands/cache.py
2748356 
Co-authored-by: Carlos Zoido <mrgalleta@gmail.com>
@danimtb @czoido
Update conan/tools/pkg_signing/plugin.py
8594b93 
Co-authored-by: Carlos Zoido <mrgalleta@gmail.com>
@danimtb
remove tool
0289f5e
@danimtb
remove from tests
5b64682
@danimtb
Merge branch 'feature/improve_pkg-sign' of github.com:danimtb/conan i…
fe427b6 
…nto feature/improve_pkg-sign
@danimtb danimtb mentioned this pull request Nov 21, 2025
Draft
@danimtb danimtb marked this pull request as draft November 25, 2025 10:43
@danimtb danimtb self-assigned this Nov 25, 2025
@danimtb
Copy link
Member Author

danimtb commented Dec 3, 2025

Superseded by #19345

@danimtb danimtb closed this Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@czoido czoido czoido left review comments

@AbrilRBS AbrilRBS AbrilRBS left review comments

@memsharded memsharded memsharded left review comments

Assignees

@danimtb danimtb

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@danimtb @czoido @AbrilRBS @memsharded