Skip to content

Add detached PGP signature verification for .sig files #16495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Add detached PGP signature verification for .sig files #16495

Copilot wants to merge 6 commits into from
+215 −60

Conversation

Copy link
Contributor

Copilot AI commented Feb 2, 2026
edited
Loading

Enables SignCheck to validate detached PGP signatures generated by SignTool (added in #16035). A detached signature file must follow the naming convention: foo.tar.gz.sig verifies foo.tar.gz.

Changes

New SigVerifier

  • Validates .sig files by locating the corresponding signed file (removes .sig extension)
  • Returns clear errors when signed file is missing
  • Linux/.NET Core only (returns UnsupportedFileTypeResult on .NET Framework)

Extracted PgpVerificationHelper

  • Centralizes GPG verification logic previously duplicated in LinuxPackageVerifier
  • Escapes shell arguments to prevent command injection
  • Handles timestamp extraction from signature metadata

Refactored LinuxPackageVerifier

  • Delegates to PgpVerificationHelper for signature verification
  • Maintains compatibility with RpmVerifier and DebVerifier

Registration

  • Added .sig verifier to SignatureVerificationManager for non-NETFRAMEWORK builds

Security

  • All file paths and key IDs are escaped before shell execution using single-quote wrapping
  • Directory operations include proper error handling for IO/permission failures
  • Cleanup failures are logged but don't fail verification

To double check:

Original prompt

This section details on the original issue you should resolve

<issue_title>SignCheck should validate detached signatures</issue_title>
<issue_description>Support for signing tars and zips with detached signatures was added into SignTool: #16035. We should add verification for these detached signatures in SignCheck. SignCheck would need a way to accept additional signature info for these signed artifacts (signature file, public key)</issue_description>

<agent_instructions>Allow SignCheck to validate detached PGP signatures by introducing first-class support for .sig assets.

  • Add a new file verifier type for .sig files.
  • Refactor the existing Linux package verification into a generic PGP verifier base (since detached signatures should be PGP-verified), and have the new .sig verifier inherit from / reuse that PGP verification implementation.
  • A detached signature must always have the same name as the signed file, with an added .sig extension (e.g., foo.tar.gzfoo.tar.gz.sig).</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 5 commits February 2, 2026 19:06
@ellahathaway
Add PGP verification helper and SigVerifier for detached signatures
205af9a 
Co-authored-by: ellahathaway <67609881+ellahathaway@users.noreply.github.com>
@ellahathaway
Fix compilation errors with #if NET guards and proper result handling
4ec7a80 
Co-authored-by: ellahathaway <67609881+ellahathaway@users.noreply.github.com>
@ellahathaway
Update README to document .sig file support
d9ef170 
Co-authored-by: ellahathaway <67609881+ellahathaway@users.noreply.github.com>
@ellahathaway
Address code review feedback: Add shell argument escaping and error h…
65e4f92 
…andling

Co-authored-by: ellahathaway <67609881+ellahathaway@users.noreply.github.com>
@ellahathaway
Final update: All code review feedback addressed
1c2b058 
Co-authored-by: ellahathaway <67609881+ellahathaway@users.noreply.github.com>
Copilot AI changed the title [WIP] Add validation for detached signatures in SignCheck Add detached PGP signature verification for .sig files Feb 2, 2026
Copilot AI requested a review from ellahathaway February 2, 2026 19:17
ellahathaway
ellahathaway requested changes Feb 2, 2026
View reviewed changes
Copy link
Member

@ellahathaway ellahathaway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot - Instead of creating a helper class, please rename LinuxPackageVerifier to PgpVerifier, and update all references accordingly. Then have SigVerifier inherit from PgpVerifier.

Copilot AI requested a review from ellahathaway February 2, 2026 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ellahathaway ellahathaway Awaiting requested review from ellahathaway

Requested changes must be addressed to merge this pull request.

Assignees

@ellahathaway ellahathaway

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SignCheck should validate detached signatures

2 participants

@ellahathaway