Skip to content

Support detached signature verification for tars and zips#16574

Merged
ellahathaway merged 7 commits intodotnet:mainfrom
ellahathaway:signcheck-detached-signature
Apr 17, 2026
Merged

Support detached signature verification for tars and zips#16574
ellahathaway merged 7 commits intodotnet:mainfrom
ellahathaway:signcheck-detached-signature

Conversation

@ellahathaway
Copy link
Copy Markdown
Member

@ellahathaway ellahathaway commented Mar 9, 2026
edited
Loading

Closes #16249

Adds support for detecting and verifying tars and zips with detached signatures.

@ellahathaway ellahathaway requested a review from mmitche March 9, 2026 18:07
@ellahathaway ellahathaway mentioned this pull request Mar 9, 2026
Draft
@ellahathaway ellahathaway force-pushed the signcheck-detached-signature branch from 7f43a23 to 2b6ca9c Compare March 17, 2026 23:37
@ellahathaway
Copy link
Copy Markdown
Member Author

ellahathaway commented Mar 18, 2026

@mmitche - friendly ping for a review whenever you get a chance :) I'd like to get this in and flowed to the VMR by 10.0 code complete. Thanks!

mmitche
mmitche reviewed Mar 19, 2026
View reviewed changes
Comment thread src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs Outdated
mmitche
mmitche reviewed Mar 19, 2026
View reviewed changes
Comment thread src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs Outdated
@ellahathaway
Rename supportsDetachedSignature to signatureIsDetached in SignCheck …
3b99430 
…verifiers

The parameter name 'supportsDetachedSignature' implied capability support,
but it actually controls whether verifiers look for a detached signature
(.sig file) instead of a non-detached signature. Rename to
'signatureIsDetached' to better reflect the semantics.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ellahathaway ellahathaway requested a review from mmitche March 19, 2026 16:54
mmitche
mmitche previously approved these changes Mar 26, 2026
View reviewed changes
@nagilson
Copy link
Copy Markdown
Member

nagilson commented Apr 15, 2026

Should this be merged?

@ellahathaway
Copy link
Copy Markdown
Member Author

ellahathaway commented Apr 15, 2026
edited
Loading

Should this be merged?

I would like to test this on rpms and debs first. I have it on my list to get it merged in before 10.0 code complete this month.

Side note that dotnet/dotnet#5835 would help immensely with the timing issue of merging changes like this (not having to get these changes in before code complete deadline, waiting for release day for a reboostrap, etc).

@ellahathaway
Copy link
Copy Markdown
Member Author

ellahathaway commented Apr 16, 2026

Should this be merged?

I would like to test this on rpms and debs first. I have it on my list to get it merged in before 10.0 code complete this month.

rpms and debs were being skipped by default due to my changes. Fixed in 394ddef. This PR is ready to be merged once it gets approved.

@ellahathaway ellahathaway enabled auto-merge (squash) April 16, 2026 21:13
@ellahathaway ellahathaway requested a review from mmitche April 16, 2026 23:15
MichaelSimons
MichaelSimons reviewed Apr 17, 2026
View reviewed changes
Comment thread src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs Outdated
MichaelSimons
MichaelSimons reviewed Apr 17, 2026
View reviewed changes
Comment thread src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs Outdated
@ellahathaway @MichaelSimons
Update src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs
c2c7241 
Co-authored-by: Michael Simons <msimons@microsoft.com>
@lbussell lbussell self-requested a review April 17, 2026 16:54
@ellahathaway
Refactor PgpVerifier: remove detached signature state from base class
7ca3317 
Move detached signature concept out of PgpVerifier and into the
subclasses that use it (TarVerifier, ZipVerifier). Make
GetSignatureDocumentAndSignableContent abstract again, and provide
reusable helpers (VerifyDetachedSignature, GetDetachedSignatureDocument
AndSignableContent) for subclasses with detached signatures.
lbussell
lbussell reviewed Apr 17, 2026
View reviewed changes
Comment thread src/SignCheck/Microsoft.SignCheck/Utils.cs
@ellahathaway ellahathaway mentioned this pull request Apr 17, 2026
Open
@ellahathaway ellahathaway disabled auto-merge April 17, 2026 17:19
@ellahathaway ellahathaway merged commit 37c766f into dotnet:main Apr 17, 2026
9 checks passed
@ellahathaway ellahathaway deleted the signcheck-detached-signature branch April 17, 2026 20:31
@ellahathaway
Copy link
Copy Markdown
Member Author

ellahathaway commented Apr 21, 2026

/backport to release/10.0

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 21, 2026

Started backporting to release/10.0 (link to workflow run)

@github-actions github-actions Bot mentioned this pull request Apr 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lbussell lbussell lbussell left review comments

@MichaelSimons MichaelSimons MichaelSimons approved these changes

@mmitche mmitche Awaiting requested review from mmitche

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SignCheck should validate detached signatures

5 participants

@ellahathaway @nagilson @MichaelSimons @mmitche @lbussell