Skip to content

Port contents of Documentation/PackageSecurity.md to DocC #8726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
May 30, 2025
Merged

Port contents of Documentation/PackageSecurity.md to DocC #8726

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ab792d1
Initial port of package security article
bripeticca May 26, 2025
b61f501
Format each sentence on new line for ease of review
bripeticca May 26, 2025
24dfebc
Merge branch 'main' into pkgsecurity
bripeticca May 27, 2025
03f3345
Fix package security summary + grammar
bripeticca May 27, 2025
97fc22a
Address PR comments
bripeticca May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Sources/PackageManagerDocs/Documentation.docc/Documentation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ The Swift Package Manager leets you share your code as a package, depend on and

- <doc:GettingStarted> <!-- tutorial or article based walk through -->
- <doc:IntroducingPackages>
- <doc:PackageSecurity>

### Guides

Expand Down
32 changes: 32 additions & 0 deletions Sources/PackageManagerDocs/Documentation.docc/PackageSecurity.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Package Security

Learn about the security features that the package manager implements.

## Trust on First Use

The package manager records **fingerprints** of downloaded package versions so that
it can perform [trust-on-first-use](https://en.wikipedia.org/wiki/Trust_on_first_use)
(TOFU).
That is, when a package version is downloaded for the first time, the package manager trusts that
it has downloaded the correct contents and requires subsequent downloads of the same
package version to have the same fingerprint.
If the fingerprint changes, it might be an indicator that the package has been
compromised and the package manager either warns or returns an error.

Depending on where a package version is downloaded from, a different value is
used as its fingerprint:

| Package Version Origin | Fingerprint |
| ---------------------- | ----------- |
| Git repository | Git hash of the revision |
| Package registry | Checksum of the source archive |

The package manager keeps version fingerprints for each package in a single file
under the `~/.swiftpm/security/fingerprints` directory.
- For a Git repository package, the fingerprint filename takes the form of `{PACKAGE_NAME}-{REPOSITORY_URL_HASH}.json` (such as `LinkedList-5ddbcf15.json`).
- For a registry package, the fingerprint filename takes the form of `{PACKAGE_ID}.json` (such as `mona.LinkedList.json`).

For packages retrieved from a registry, the package manager expects all registries to provide consistent fingerprints for packages they host.
If registries have conflicting fingerprints, package manager reports that as an error.
This can be tuned down to warning by setting the [build](<doc:SwiftBuild>) option `--resolver-fingerprint-checking`
to `warn` (default is `strict`).