elastic · mtojek · Oct 25, 2021 · Oct 21, 2021 · Oct 21, 2021 · Oct 21, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 * Update APM Go Agent to 1.14.0. [#759](https://github.com/elastic/package-registry/pull/759)
 * Update Gorilla to 1.8.0 [#759](https://github.com/elastic/package-registry/pull/759)
+* Support package signatures [#760](https://github.com/elastic/package-registry/pull/760)
 
 ### Deprecated
 

diff --git a/packages/package.go b/packages/package.go
@@ -89,6 +89,7 @@ type BasePackage struct {
 	Conditions          *Conditions          `config:"conditions,omitempty" json:"conditions,omitempty" yaml:"conditions,omitempty"`
 	Owner               *Owner               `config:"owner,omitempty" json:"owner,omitempty" yaml:"owner,omitempty"`
 	Categories          []string             `config:"categories,omitempty" json:"categories,omitempty" yaml:"categories,omitempty"`
+	Signature           string               `config:"signature,omitempty" json:"signature,omitempty" yaml:"signature,omitempty"`
 }
 
 // BasePolicyTemplate is used for the package policy templates in the /search endpoint
@@ -313,6 +314,12 @@ func NewPackage(basePath string, fsBuilder FileSystemBuilder) (*Package, error)
 	if err != nil {
 		return nil, errors.Wrapf(err, "loading package data streams failed (path '%s')", p.BasePath)
 	}
+
+	// Read package signature
+	p.Signature, err = readSignature(basePath)
+	if err != nil {
+		return nil, errors.Wrapf(err, "can't read package signature (package path '%s')", p.BasePath)
+	}
 	return p, nil
 }
 

diff --git a/packages/signature.go b/packages/signature.go
@@ -0,0 +1,23 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package packages
+
+import (
+	"os"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+func readSignature(basePath string) (string, error) {
+	signatureFile := basePath + ".sig"
+	signature, err := os.ReadFile(signatureFile)
+	if errors.Is(err, os.ErrNotExist) {
+		return "", nil // signature file isn't present
+	} else if err != nil {
+		return "", errors.Wrap(err, "can't read signature file")
+	}
+	return strings.TrimSpace(string(signature)), nil
+}
diff --git a/testdata/generated/package-zip.json b/testdata/generated/package-zip.json
@@ -19,6 +19,7 @@
     "crm",
     "azure"
   ],
+  "signature": "e16ddaf4f91df524b27bf4f2e4b1ac09",
-  "signature": "e16ddaf4f91df524b27bf4f2e4b1ac09",
+  "signature": "/epr/example/example-1.0.1.zip.sig",
-  "signature": "e16ddaf4f91df524b27bf4f2e4b1ac09",
+  "signature": "/epr/example/example-1.0.1.zip.sig",
   "format_version": "1.0.0",
   "readme": "/package/example/1.0.1/docs/README.md",
   "license": "basic",

diff --git a/testdata/local-storage/example-1.0.1.zip.sig b/testdata/local-storage/example-1.0.1.zip.sig
@@ -0,0 +1 @@
+e16ddaf4f91df524b27bf4f2e4b1ac09
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		e16ddaf4f91df524b27bf4f2e4b1ac09
Copy link Member jsoriano Oct 25, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Is this the final format of the signature? What kind of hash is this one? Copy link Contributor Author mtojek Oct 25, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. md5(elastic) It's just a mock as the EPR doesn't enforce any hash form, it will depend on the internal logic on the CI side, unless we want to document and define it also here. Copy link Member jsoriano Oct 25, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Yep, no need to enter into details here, but I am wondering about the more convenient form to distribute different signatures (also related to my other question about providing a download path). For example gpg signatures are quite longer and usually distributed as files. Would we still want to include them in the package index? Copy link Contributor Author mtojek Oct 25, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. I think this is a similar problem we had with `template` vs `template_path` in data stream's manifest and we ended up with `template_path` as these files are long. Definitely a `signature_path` would be more human readable than JSON index with signature blobs. I will adjust the implementation then. Copy link Contributor Author mtojek Oct 25, 2021 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Fixed, used `signature_path`.