search

conan-io / conan-extensions

Some extra Conan commands for different purposes, like artifactory tasks, conan-center-index, etc
MIT License
30 stars 27 forks source link

[question] Future of package signing extension #164

Open r-slabs opened 11 months ago

r-slabs commented 11 months ago

Future of package signing extension

We at Silicon Labs (https://www.silabs.com/) are exploring the possibility of using Conan as a package manager in our software stack. I'm trying to understand more about the package signing feature (https://docs.conan.io/2.0/reference/extensions/package_signing.html#package-signing) and was hoping you could provide some clarification.

Is the package signing extension expected to be part of the stable Conan version in the future? If so, is there any estimated timeline for this inclusion? Are there any major changes expected in Conan's package signing features that we should be aware of?

@RubenRBS @memsharded

Have you read the CONTRIBUTING guide?

memsharded commented 11 months ago

Hi @r-slabs

Thanks for your question

Is the package signing extension expected to be part of the stable Conan version in the future? If so, is there any estimated timeline for this inclusion?

Conan 2.0 provides as built-in a signing plugin infrastructure, designed to be able to use different signing methods. The idea is that there are many different needs, providers, etc, so having a single signing method as built-in will not work. The intention is to keep the signing extensions as that, extensions.

We already have a basic extension doing package signing with sigstore, and it seems good. We haven't published it yet, because we have had other higher priorities, specially around migration packages in ConanCenter to 2.0, helping users upgrade, and releasing other very demanded features (metadata, backup-sources, package-lists, package save/restore, etc), while the package signing didn't have that high demand so far.

Are there any major changes expected in Conan's package signing features that we should be aware of?

This is a bit difficult to know, at the moment there aren't any changes expected, but it is true that this is a chicken and egg problem, the feature hasn't been massively used yet, to know if it could have some serious limitations that would require breaking changes.

This might change the moment we start making more noisy about it, publish the sigstore extension, etc.

What are your plans and needs for package signing? Do you intend to use sigstore? We are certainly looking forward for hearing feedback from users like you.

memsharded commented 1 month ago

This hasn't been a priority yet, but it is definitely possible to use the plugin system to implement it on the user side, shouldn't be very difficult.

In any case, this would belong to the conan-extensions repo, moving this ticket there.