Skip to content

Support detached signature verification for tars and zips#16574

Open
ellahathaway wants to merge 4 commits intodotnet:mainfrom
ellahathaway:signcheck-detached-signature
Open

Support detached signature verification for tars and zips#16574
ellahathaway wants to merge 4 commits intodotnet:mainfrom
ellahathaway:signcheck-detached-signature

Conversation

@ellahathaway
Copy link
Copy Markdown
Member

@ellahathaway ellahathaway commented Mar 9, 2026
edited
Loading

Closes #16249

Adds support for detecting and verifying tars and zips with detached signatures.

@ellahathaway ellahathaway requested a review from mmitche March 9, 2026 18:07
@ellahathaway ellahathaway mentioned this pull request Mar 9, 2026
Draft
@ellahathaway ellahathaway force-pushed the signcheck-detached-signature branch from 7f43a23 to 2b6ca9c Compare March 17, 2026 23:37
@ellahathaway
Copy link
Copy Markdown
Member Author

ellahathaway commented Mar 18, 2026

@mmitche - friendly ping for a review whenever you get a chance :) I'd like to get this in and flowed to the VMR by 10.0 code complete. Thanks!

mmitche
mmitche reviewed Mar 19, 2026
View reviewed changes
Comment thread src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs
mmitche
mmitche reviewed Mar 19, 2026
View reviewed changes
Comment thread src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs Outdated
@ellahathaway
Rename supportsDetachedSignature to signatureIsDetached in SignCheck …
3b99430 
…verifiers

The parameter name 'supportsDetachedSignature' implied capability support,
but it actually controls whether verifiers look for a detached signature
(.sig file) instead of a non-detached signature. Rename to
'signatureIsDetached' to better reflect the semantics.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ellahathaway ellahathaway requested a review from mmitche March 19, 2026 16:54
mmitche
mmitche previously approved these changes Mar 26, 2026
View reviewed changes
@nagilson
Copy link
Copy Markdown
Member

nagilson commented Apr 15, 2026

Should this be merged?

@ellahathaway
Copy link
Copy Markdown
Member Author

ellahathaway commented Apr 15, 2026
edited
Loading

Should this be merged?

I would like to test this on rpms and debs first. I have it on my list to get it merged in before 10.0 code complete this month.

Side note that dotnet/dotnet#5835 would help immensely with the timing issue of merging changes like this (not having to get these changes in before code complete deadline, waiting for release day for a reboostrap, etc).

@ellahathaway
Copy link
Copy Markdown
Member Author

ellahathaway commented Apr 16, 2026

Should this be merged?

I would like to test this on rpms and debs first. I have it on my list to get it merged in before 10.0 code complete this month.

rpms and debs were being skipped by default due to my changes. Fixed in 394ddef. This PR is ready to be merged once it gets approved.

@ellahathaway ellahathaway enabled auto-merge (squash) April 16, 2026 21:13
@ellahathaway ellahathaway requested a review from mmitche April 16, 2026 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmitche mmitche Awaiting requested review from mmitche

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SignCheck should validate detached signatures

3 participants

@ellahathaway @nagilson @mmitche