Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question] Future of package signing extension #164

Open
1 task
r-slabs opened this issue Dec 6, 2023 · 2 comments
Open
1 task

[question] Future of package signing extension #164

r-slabs opened this issue Dec 6, 2023 · 2 comments
Assignees
@memsharded

Comments

@r-slabs
Copy link

r-slabs commented Dec 6, 2023
edited
Loading

Future of package signing extension

We at Silicon Labs (https://www.silabs.com/) are exploring the possibility of using Conan as a package manager in our software stack. I'm trying to understand more about the package signing feature (https://docs.conan.io/2.0/reference/extensions/package_signing.html#package-signing) and was hoping you could provide some clarification.

Is the package signing extension expected to be part of the stable Conan version in the future? If so, is there any estimated timeline for this inclusion?
Are there any major changes expected in Conan's package signing features that we should be aware of?

@RubenRBS @memsharded

Have you read the CONTRIBUTING guide?

  • I've read the CONTRIBUTING guide
@memsharded memsharded self-assigned this Dec 6, 2023
@memsharded
Copy link
Member

Hi @r-slabs

Thanks for your question

Is the package signing extension expected to be part of the stable Conan version in the future? If so, is there any estimated timeline for this inclusion?

Conan 2.0 provides as built-in a signing plugin infrastructure, designed to be able to use different signing methods.
The idea is that there are many different needs, providers, etc, so having a single signing method as built-in will not work. The intention is to keep the signing extensions as that, extensions.

We already have a basic extension doing package signing with sigstore, and it seems good. We haven't published it yet, because we have had other higher priorities, specially around migration packages in ConanCenter to 2.0, helping users upgrade, and releasing other very demanded features (metadata, backup-sources, package-lists, package save/restore, etc), while the package signing didn't have that high demand so far.

Are there any major changes expected in Conan's package signing features that we should be aware of?

This is a bit difficult to know, at the moment there aren't any changes expected, but it is true that this is a chicken and egg problem, the feature hasn't been massively used yet, to know if it could have some serious limitations that would require breaking changes.

This might change the moment we start making more noisy about it, publish the sigstore extension, etc.

What are your plans and needs for package signing? Do you intend to use sigstore? We are certainly looking forward for hearing feedback from users like you.

@memsharded
Copy link
Member

This hasn't been a priority yet, but it is definitely possible to use the plugin system to implement it on the user side, shouldn't be very difficult.

In any case, this would belong to the conan-extensions repo, moving this ticket there.

@memsharded memsharded transferred this issue from conan-io/conan Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@memsharded memsharded

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@memsharded @r-slabs