This is an interesting proposal, @yim_lee. A few questions that I had after reading it:
-
If all connections enforce TLS and package collections are consumed directly by Swift Package Manager, what protections do signatures provide? Is the goal to provide an additional layer of protection for data at rest?
-
How does this feature relate to Apple's Certificate Transparency policy? Would Swift Package Manager reject certificates that fail to meet the requirements of that policy?
-
If the signature is appended to the package collection payload, how exactly are the contents of that payload validated? I ask this because I suspect that things like insignificant whitespace and key reordering may be problematic for verification. Should signatures be based on JSON Canonical Form?