From be3105c033de41bb024802dbbd2bc841317fce34 Mon Sep 17 00:00:00 2001 From: danimtb Date: Tue, 17 Feb 2026 12:34:53 +0100 Subject: [PATCH 01/13] Add docs for package signing openssl example --- examples/extensions.rst | 1 + .../package_signing/package_signing.rst | 12 ++ .../package_signing_with_openssl.rst | 145 ++++++++++++++++++ 3 files changed, 158 insertions(+) create mode 100644 examples/extensions/package_signing/package_signing.rst create mode 100644 examples/extensions/package_signing/package_signing_with_openssl.rst diff --git a/examples/extensions.rst b/examples/extensions.rst index cb0dbb772c7e..756ba0bc20bf 100644 --- a/examples/extensions.rst +++ b/examples/extensions.rst @@ -14,3 +14,4 @@ Conan extensions examples extensions/commands/custom_commands extensions/deployers/builtin_deployers extensions/deployers/custom_deployers + extensions/package_signing/package_signing diff --git a/examples/extensions/package_signing/package_signing.rst b/examples/extensions/package_signing/package_signing.rst new file mode 100644 index 000000000000..dd0c45c8ac79 --- /dev/null +++ b/examples/extensions/package_signing/package_signing.rst @@ -0,0 +1,12 @@ +.. _examples_extensions_package_signing: + + +Package Signing Plugin +====================== + + +.. toctree:: + :maxdepth: 2 + + + package_signing_with_openssl \ No newline at end of file diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst new file mode 100644 index 000000000000..5519d2bc7f79 --- /dev/null +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -0,0 +1,145 @@ +.. _examples_extensions_package_signing_openssl: + +Signing packages with OpenSSL +============================= + +This is an example of a Package Signing Plugin implementation using the `OpensSSL digest tool `_. +You will need to have ``openssl`` installed and available on your path. + +.. include:: ../../../common/experimental_warning.inc + +This example is available in the examples2 repository: https://github.com/conan-io/examples2/tree/main/examples/extensions/plugins/openssl_sign + +Generating the signing keys ++++++++++++++++++++++++++++ + +In order to sign and verify the packages with the plugin, first we will need a public and private key. + +To generate the ques using the ``openssl`` executable, we can run: + +.. code-block:: bash + + $ openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048 + +This will generate the private key to sign the packages with. + +Now, we can get the public key from it with this command: + +.. code-block:: bash + + $ openssl pkey -in private_key.pem -pubout -out public_key.pem + +This public key will be used by the plugin to verify the packages. + + +Configuring the plugin +++++++++++++++++++++++ + +.. caution:: + + This example stores a private key next to the plugin for simplicity. **Do not do this in production**. + Instead, load the signing key from environment variables or a secret manager, or delegate signing to a remote signing service. + **Always keep the private key out of the Conan cache and out of source control**. + +1. Copy the ``examples/extensions/plugins/openssl_sign/sign.py`` file to your Conan home at ``CONAN_HOME/extensions/plugins/sign/sign.py``. + +2. Now, place the private key ``private_key.pem`` and the public key ``public_key.pem`` inside a folder ``my-organization`` next to the ``sign.py`` + file (``CONAN_HOME/extensions/plugins/sign/my-organization/``). + +The ``my-organization`` folder serves as the **provider** in this example, and it is used by the plugin to identify the organization that owns the keys. +This will be used later by the ``verify()`` function to **verify the package with the matching public key**. + +.. tip:: + + The Package Signing plugin is installed in the Conan configuration folder, so they can be easily distributed as part of the client + configuration using the :ref:`conan config install` command. + + +Signing packages +++++++++++++++++ + +Now that the plugin is configured, we can create a package and sign it afterwards: + +.. code-block:: bash + + $ conan new cmake_lib -d name=hello -d version=1.0 + $ conan create + +For signing the recipe and package, use the dedicated command: + +.. code-block:: bash + + $ conan cache sign hello/1.0 + + hello/1.0: Compressing conan_sources.tgz + hello/1.0:dee9f7f985eb1c20e3c41afaa8c35e2a34b5ae0b: Compressing conan_package.tgz + Running command: openssl dgst -sha256 -sign C:\Users\user\.conan2\extensions\plugins\sign\my-organization\private_key.pem -out C:\Users\user\.conan2\p\hello092ffa809a9a1\d\metadata\sign\pkgsign-manifest.json.sig C:\Users\user\.conan2\p\hello092ffa809a9a1\d\metadata\sign\pkgsign-manifest.json + Package signed for reference hello/1.0 + Running command: openssl dgst -sha256 -sign C:\Users\user\.conan2\extensions\plugins\sign\my-organization\private_key.pem -out C:\Users\user\.conan2\p\b\hello5b13c694fef4a\d\metadata\sign\pkgsign-manifest.json.sig C:\Users\user\.conan2\p\b\hello5b13c694fef4a\d\metadata\sign\pkgsign-manifest.json + Package signed for reference hello/1.0:dee9f7f985eb1c20e3c41afaa8c35e2a34b5ae0b + [Package sign] Results: + + hello/1.0 + revisions + 53321bba8793db6fea5ea1a98dd6f3d6 + packages + dee9f7f985eb1c20e3c41afaa8c35e2a34b5ae0b + revisions + 4b1eaf2e27996cb39cb3774f185fcd8e + + [Package sign] Summary: OK=2, FAILED=0 + +As you see, The command is executing the ``sign()`` function of the plugin that uses the ``openssl`` executable to sign the recipe and the package with a command similar to: + +.. code-block:: bash + + $ openssl dgst -sha256 -sign private_key.pem -out pkgsign-manifest.json.sig pkgsign-manifest.json + +```` + +And it is also using the conan-generated ``pkgsign-manifest.json`` file to create the signature. +You can read more about this manifest file at :ref:`reference_extensions_package_signing`. + + +Verifying packages +++++++++++++++++++ + +For verifying the recipe and package, use the dedicated command: + +.. code-block:: bash + + $ conan cache verify hello/1.0 + + [Package sign] Checksum verified for file conan_sources.tgz (4ce077cbea9ce87a481b5d6dbb50bd791f4e37e931754cdeb40aeb017baed66c). + [Package sign] Checksum verified for file conanfile.py (0ec44c268f0f255ab59a246c3d13ae6dbd487dea7635b584236b701047f92ba0). + [Package sign] Checksum verified for file conanmanifest.txt (f7f00bb74ed8469a367ed02faded3c763130da9b63dae23916b2a4f099625b15). + Running command: openssl dgst -sha256 -verify C:\Users\user\.conan2\extensions\plugins\sign\my-organization\public_key.pem -signature C:\Users\user\.conan2\p\hello092ffa809a9a1\d\metadata\sign\pkgsign-manifest.json.sig C:\Users\user\.conan2\p\hello092ffa809a9a1\d\metadata\sign\pkgsign-manifest.json + Package verified for reference hello/1.0 + [Package sign] Checksum verified for file conan_package.tgz (5cc1b9e330fe5bb6ad5904db45d78ecd6bdc71bcc18eff8d19a1ed126ba5a5aa). + [Package sign] Checksum verified for file conaninfo.txt (f80367b17176346e10640ed813d6d2f1c45ed526822ff71066696179d16e2f2f). + [Package sign] Checksum verified for file conanmanifest.txt (91429ce32c2d0a99de6459a589ac9c35933ed65165ee5c564b6534da57fdfa65). + Running command: openssl dgst -sha256 -verify C:\Users\user\.conan2\extensions\plugins\sign\my-organization\public_key.pem -signature C:\Users\user\.conan2\p\b\hello5b13c694fef4a\d\metadata\sign\pkgsign-manifest.json.sig C:\Users\user\.conan2\p\b\hello5b13c694fef4a\d\metadata\sign\pkgsign-manifest.json + Package verified for reference hello/1.0:dee9f7f985eb1c20e3c41afaa8c35e2a34b5ae0b + [Package sign] Results: + + hello/1.0 + revisions + 53321bba8793db6fea5ea1a98dd6f3d6 + packages + dee9f7f985eb1c20e3c41afaa8c35e2a34b5ae0b + revisions + 4b1eaf2e27996cb39cb3774f185fcd8e + + [Package sign] Summary: OK=2, FAILED=0 + +As you see, Conan is performing an internal checksum verification for the files and calling the ``verify()`` function of the plugin that uses +the ``openssl`` executable to verify the recipe and the package with a command similar to: + +.. code-block:: bash + + $ openssl dgst -sha256 -verify public_key.pem -signature pkgsign-manifest.json.sig pkgsign-manifest.json + +.. seealso:: + + If you want to create your own package signing plugin, check the reference documentation at + :ref:`reference_extensions_package_signing`. From e3f79d08597c27b2306c86fa8e13e49a3709cd95 Mon Sep 17 00:00:00 2001 From: danimtb Date: Tue, 17 Feb 2026 12:44:26 +0100 Subject: [PATCH 02/13] add examples section --- reference/extensions/package_signing.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/reference/extensions/package_signing.rst b/reference/extensions/package_signing.rst index 334fab5ce378..556dd694d52e 100644 --- a/reference/extensions/package_signing.rst +++ b/reference/extensions/package_signing.rst @@ -211,3 +211,10 @@ Here is a usual flow for signing and verifying packages: The :command:`conan upload` command **will not automatically sign** the packages since Conan 2.26.0. Please make sure to use the :command:`conan cache sign` command to **sign the packages before uploading them**, and **update your plugin** to conform to the new implementation. + +Plugin implementation examples +============================== + +Here you can find some implementation examples of the plugin so they can serve as guidance to develop your own one: + +- :ref:`examples_extensions_package_signing_openssl`. From f4ccc2d7d4497e52615f88781f82ba4cbedecdee Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 18 Feb 2026 12:48:34 +0100 Subject: [PATCH 03/13] Update examples/extensions/package_signing/package_signing_with_openssl.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- .../extensions/package_signing/package_signing_with_openssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 5519d2bc7f79..55cc674cfab5 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -15,7 +15,7 @@ Generating the signing keys In order to sign and verify the packages with the plugin, first we will need a public and private key. -To generate the ques using the ``openssl`` executable, we can run: +To generate the keys using the ``openssl`` executable, we can run: .. code-block:: bash From 13d18868f2c1247f2eb472292d79296cade8934d Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 18 Feb 2026 12:48:47 +0100 Subject: [PATCH 04/13] Update examples/extensions/package_signing/package_signing_with_openssl.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Francisco Ramírez --- .../extensions/package_signing/package_signing_with_openssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 55cc674cfab5..13432dae937c 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -13,7 +13,7 @@ This example is available in the examples2 repository: https://github.com/conan- Generating the signing keys +++++++++++++++++++++++++++ -In order to sign and verify the packages with the plugin, first we will need a public and private key. +To sign and verify the packages using the plugin, first, we will need a public and private key. To generate the keys using the ``openssl`` executable, we can run: From dd5ddc81b57f48f783435332d70599c5a7ba3e58 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 18 Feb 2026 12:49:22 +0100 Subject: [PATCH 05/13] Update examples/extensions/package_signing/package_signing_with_openssl.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Francisco Ramírez --- .../extensions/package_signing/package_signing_with_openssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 13432dae937c..80e5d39dd061 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -29,7 +29,7 @@ Now, we can get the public key from it with this command: $ openssl pkey -in private_key.pem -pubout -out public_key.pem -This public key will be used by the plugin to verify the packages. +The plugin will use this public key to verify the packages. Configuring the plugin From 4233368a4f300d4abdc3dc62c9c334962a9cfcfa Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 18 Feb 2026 12:49:39 +0100 Subject: [PATCH 06/13] Update examples/extensions/package_signing/package_signing_with_openssl.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Francisco Ramírez --- .../extensions/package_signing/package_signing_with_openssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 80e5d39dd061..663975257072 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -89,7 +89,7 @@ For signing the recipe and package, use the dedicated command: [Package sign] Summary: OK=2, FAILED=0 -As you see, The command is executing the ``sign()`` function of the plugin that uses the ``openssl`` executable to sign the recipe and the package with a command similar to: +As you see, the command is executing the ``sign()`` function of the plugin that uses the ``openssl`` executable to sign the recipe and the package with a command similar to: .. code-block:: bash From 96413459de203af752ca8150e8426a977ed2fe70 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 18 Feb 2026 12:50:06 +0100 Subject: [PATCH 07/13] Update reference/extensions/package_signing.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Francisco Ramírez --- reference/extensions/package_signing.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/extensions/package_signing.rst b/reference/extensions/package_signing.rst index 556dd694d52e..ab491db216f8 100644 --- a/reference/extensions/package_signing.rst +++ b/reference/extensions/package_signing.rst @@ -215,6 +215,6 @@ Here is a usual flow for signing and verifying packages: Plugin implementation examples ============================== -Here you can find some implementation examples of the plugin so they can serve as guidance to develop your own one: +Here you can find some implementation examples of the plugin so they can serve as guidance to develop your own: - :ref:`examples_extensions_package_signing_openssl`. From 8721ef1d9b510b8a7532a0edea6658ed5f4c23cb Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 18 Feb 2026 12:50:16 +0100 Subject: [PATCH 08/13] Update examples/extensions/package_signing/package_signing_with_openssl.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Francisco Ramírez --- .../extensions/package_signing/package_signing_with_openssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 663975257072..8efa987d72f8 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -21,7 +21,7 @@ To generate the keys using the ``openssl`` executable, we can run: $ openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048 -This will generate the private key to sign the packages with. +This will generate the private key used to sign the packages. Now, we can get the public key from it with this command: From 1d2e6cbd93d373aa9b5645d2b9cdf44e41b47bb1 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 18 Feb 2026 16:13:48 +0100 Subject: [PATCH 09/13] Update examples/extensions/package_signing/package_signing_with_openssl.rst Co-authored-by: Carlos Zoido --- .../extensions/package_signing/package_signing_with_openssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 8efa987d72f8..06199ba6411d 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -4,7 +4,7 @@ Signing packages with OpenSSL ============================= This is an example of a Package Signing Plugin implementation using the `OpensSSL digest tool `_. -You will need to have ``openssl`` installed and available on your path. +You will need to have ``openssl`` installed at the system level and available in your ``PATH``. .. include:: ../../../common/experimental_warning.inc From 03f83aec801d72d7443a555ad31112bf2293e4dd Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 18 Feb 2026 16:14:35 +0100 Subject: [PATCH 10/13] Update examples/extensions/package_signing/package_signing_with_openssl.rst Co-authored-by: Carlos Zoido --- .../extensions/package_signing/package_signing_with_openssl.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 06199ba6411d..5887d02fe16b 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -8,7 +8,7 @@ You will need to have ``openssl`` installed at the system level and available in .. include:: ../../../common/experimental_warning.inc -This example is available in the examples2 repository: https://github.com/conan-io/examples2/tree/main/examples/extensions/plugins/openssl_sign +This example is available in the examples2 repository: `examples/extensions/plugins/openssl_sign `_. Generating the signing keys +++++++++++++++++++++++++++ From 06e4e82316a0252d72c14b3a63b6a818dc06a3f5 Mon Sep 17 00:00:00 2001 From: danimtb Date: Wed, 18 Feb 2026 16:32:10 +0100 Subject: [PATCH 11/13] review --- .../package_signing_with_openssl.rst | 30 ++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 5887d02fe16b..46593891089c 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -10,6 +10,13 @@ You will need to have ``openssl`` installed at the system level and available in This example is available in the examples2 repository: `examples/extensions/plugins/openssl_sign `_. +.. note:: + + OpenSSL is used here for demonstration purposes only. The Package Signing + plugin mechanism is backend-agnostic, and you could implement a similar + plugin using other tools available in your system (for example, ``gpg``), + with minimal changes to the signing and verification commands. + Generating the signing keys +++++++++++++++++++++++++++ @@ -43,8 +50,25 @@ Configuring the plugin 1. Copy the ``examples/extensions/plugins/openssl_sign/sign.py`` file to your Conan home at ``CONAN_HOME/extensions/plugins/sign/sign.py``. -2. Now, place the private key ``private_key.pem`` and the public key ``public_key.pem`` inside a folder ``my-organization`` next to the ``sign.py`` - file (``CONAN_HOME/extensions/plugins/sign/my-organization/``). +1. Copy the ``sign.py`` file to your Conan home: + + ``CONAN_HOME/extensions/plugins/sign/sign.py`` + +2. Place the generated keys in a folder named after your provider + (``my-organization`` in this example), next to ``sign.py``: + +Your final folder structure should look like this: + +.. code-block:: text + + CONAN_HOME/ + └── extensions/ + └── plugins/ + └── sign/ + ├── sign.py + └── my-organization/ + ├── private_key.pem + └── public_key.pem The ``my-organization`` folder serves as the **provider** in this example, and it is used by the plugin to identify the organization that owns the keys. This will be used later by the ``verify()`` function to **verify the package with the matching public key**. @@ -95,8 +119,6 @@ As you see, the command is executing the ``sign()`` function of the plugin that $ openssl dgst -sha256 -sign private_key.pem -out pkgsign-manifest.json.sig pkgsign-manifest.json -```` - And it is also using the conan-generated ``pkgsign-manifest.json`` file to create the signature. You can read more about this manifest file at :ref:`reference_extensions_package_signing`. From cf8d1e5f3c748d5aaf3ef5fb21f7e1425d1e835b Mon Sep 17 00:00:00 2001 From: danimtb Date: Wed, 18 Feb 2026 17:12:52 +0100 Subject: [PATCH 12/13] add code tour --- .../package_signing_with_openssl.rst | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 46593891089c..88e0e7f037da 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -79,6 +79,93 @@ This will be used later by the ``verify()`` function to **verify the package wit configuration using the :ref:`conan config install` command. +Implementation +++++++++++++++ + +The plugin's implementation is very straightforward. + +For signing packages, the `sign()` function is defined, where the packages are signed by the :command:`openssl dgst` command: + +.. code-block:: python + + def sign(ref, artifacts_folder, signature_folder, **kwargs) + ... + openssl_sign_cmd = [ + "openssl", + "dgst", + "-sha256", + "-sign", privkey_filepath, + "-out", signature_filepath, + manifest_filepath + ] + try: + _run_command(openssl_sign_cmd) + ConanOutput().success(f"Package signed for reference {ref}") + except Exception as exc: + raise ConanException(f"Error signing artifact: {exc}") + ... + +There, the manifest ``pkgsign-manifest.json`` (created right before ``sign()`` function is called) is used to sign the package, +as it contains the filenames and checksums of the artifacts of the package. + +The signature file is saved into the ``signature_filepath`` (the signature folder at ``/metadata/sign``), and finally, the +metadata of the signature is returned as a dictionary in a list: + +.. code-block:: python + + def sign(ref, artifacts_folder, signature_folder, **kwargs) + ... + return [{"method": "openssl-dgst", + "provider": "my-organization", + "sign_artifacts": { + "manifest": "pkgsign-manifest.json", + "signature": signature_filename}}] + +This information saved in a file ``pkgsign-signatures.json`` placed in the signature folder, so it can be used in the `verify()` to +verify the package signature against the correct provider keys, with the correct signing method (``openssl-dgst`` for this example) +and using the signature files in ``sign_artifacts``. + +For verifying packages, the `verify()` function is defined. + +First, the ``pkgsign-signatures.json`` is loaded to read the metadata of the signatures (multiple signatures are supported): + +.. code-block:: python + + def verify(ref, artifacts_folder, signature_folder, files, **kwargs): + ... + signatures = json.loads(f.read()).get("signatures") + ... + for signature in signatures: + signature_filename = signature.get("sign_artifacts").get("signature") + signature_filepath = os.path.join(signature_folder, signature_filename) + ... + provider = signature.get("provider") + signature_method = signature.get("method") + ... + +Then, the ``provider`` information is used to select the correct public key for verification that use the right signature verification +``method`` (``openssl-dgst`` for this example) and run the :command:`openssl dgst -verify` command: + +.. code-block:: python + + def verify(ref, artifacts_folder, signature_folder, files, **kwargs): + ... + openssl_verify_cmd = [ + "openssl", + "dgst", + "-sha256", + "-verify", pubkey_filepath, + "-signature", signature_filepath, + manifest_filepath, + ] + try: + _run_command(openssl_verify_cmd) + ConanOutput().success(f"Package verified for reference {ref}") + except Exception as exc: + raise ConanException(f"Error verifying signature {signature_filepath}: {exc}") + +The ``verify()`` function does not return any value in case the package is correct. If the verification fails, then a ``ConanException()`` should be raised. + Signing packages ++++++++++++++++ From 6fca66adf516d3c041c080117192c038cda30447 Mon Sep 17 00:00:00 2001 From: danimtb Date: Wed, 18 Feb 2026 17:18:59 +0100 Subject: [PATCH 13/13] remove line --- .../extensions/package_signing/package_signing_with_openssl.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/extensions/package_signing/package_signing_with_openssl.rst b/examples/extensions/package_signing/package_signing_with_openssl.rst index 88e0e7f037da..42328673297b 100644 --- a/examples/extensions/package_signing/package_signing_with_openssl.rst +++ b/examples/extensions/package_signing/package_signing_with_openssl.rst @@ -71,7 +71,6 @@ Your final folder structure should look like this: └── public_key.pem The ``my-organization`` folder serves as the **provider** in this example, and it is used by the plugin to identify the organization that owns the keys. -This will be used later by the ``verify()`` function to **verify the package with the matching public key**. .. tip::