fix the package signing plugin not verifying sources

conans/client/pkg_sign.py

@@ -35,8 +35,9 @@ def _sign(ref, files, folder):
                 if pkg_bundle["upload"]:
                     _sign(pref, pkg_bundle["files"], self._cache.pkg_layout(pref).download_package())
 
-    def verify(self, ref, folder):
+    def verify(self, ref, folder, files):
         if self._plugin_verify_function is None:
             return
         metadata_sign = os.path.join(folder, METADATA, "sign")
-        self._plugin_verify_function(ref, artifacts_folder=folder, signature_folder=metadata_sign)
+        self._plugin_verify_function(ref, artifacts_folder=folder, signature_folder=metadata_sign,
+                                     files=files)

conans/client/remote_manager.py

@@ -60,7 +60,7 @@ def get_recipe(self, ref, remote, metadata=None):
             if "conanmanifest.txt" not in zipped_files:
                 raise ConanException(f"Corrupted {ref} in '{remote.name}' remote: "
                                      f"no conanmanifest.txt")
-            self._signer.verify(ref, download_export)
+            self._signer.verify(ref, download_export, files=zipped_files)
         except BaseException:  # So KeyboardInterrupt also cleans things
             ConanOutput(scope=str(ref)).error(f"Error downloading from remote '{remote.name}'")
             self._cache.remove_recipe_layout(layout)
@@ -103,6 +103,7 @@ def get_recipe_sources(self, ref, layout, remote):
             mkdir(export_sources_folder)  # create the folder even if no source files
             return
 
+        self._signer.verify(ref, download_folder, files=zipped_files)
         tgz_file = zipped_files[EXPORT_SOURCES_TGZ_NAME]
         uncompress_file(tgz_file, export_sources_folder, scope=str(ref))
 
@@ -149,7 +150,7 @@ def _get_package(self, layout, pref, remote, scoped_output, metadata):
             for f in ("conaninfo.txt", "conanmanifest.txt", "conan_package.tgz"):
                 if f not in zipped_files:
                     raise ConanException(f"Corrupted {pref} in '{remote.name}' remote: no {f}")
-            self._signer.verify(pref, download_pkg_folder)
+            self._signer.verify(pref, download_pkg_folder, zipped_files)
 
             tgz_file = zipped_files.pop(PACKAGE_TGZ_NAME, None)
             package_folder = layout.package()

conans/test/integration/test_pkg_signing.py

@@ -22,16 +22,17 @@ def sign(ref, artifacts_folder, signature_folder):
             for f in sorted(os.listdir(artifacts_folder)):
                 if os.path.isfile(os.path.join(artifacts_folder, f)):
                     files.append(f)
+            print("Signing files: ", sorted(files))
             signature = os.path.join(signature_folder, "signature.asc")
             open(signature, "w").write("\n".join(files))
 
-        def verify(ref, artifacts_folder, signature_folder):
+        def verify(ref, artifacts_folder, signature_folder, files):
             print("Verifying ref: ", ref)
             print("Verifying folder: ", artifacts_folder)
             signature = os.path.join(signature_folder, "signature.asc")
             contents = open(signature).read()
             print("verifying contents", contents)
-            for f in sorted(os.listdir(artifacts_folder)):
+            for f in files:
                 print("VERIFYING ", f)
                 if os.path.isfile(os.path.join(artifacts_folder, f)):
                     assert f in contents
@@ -41,7 +42,17 @@ def verify(ref, artifacts_folder, signature_folder):
     c.run("upload * -r=default -c")
     assert "Signing ref:  pkg/0.1" in c.out
     assert "Signing ref:  pkg/0.1:da39a3ee5e6b4b0d3255bfef95601890afd80709" in c.out
+    # Make sure it is signing the sources too
+    assert "Signing files:  ['conan_export.tgz', 'conan_sources.tgz', " \
+           "'conanfile.py', 'conanmanifest.txt']" in c.out
     c.run("remove * -c")
     c.run("install --requires=pkg/0.1")
     assert "Verifying ref:  pkg/0.1" in c.out
     assert "Verifying ref:  pkg/0.1:da39a3ee5e6b4b0d3255bfef95601890afd80709" in c.out
+    assert "VERIFYING  conanfile.py" in c.out
+    assert "VERIFYING  conan_sources.tgz" not in c.out # Sources not retrieved now
+    # Lets force the retrieval of the sources
+    c.run("install --requires=pkg/0.1 --build=*")
+    assert "Verifying ref:  pkg/0.1" in c.out
+    assert "VERIFYING  conanfile.py" not in c.out  # It doesn't re-verify previous contents
+    assert "VERIFYING  conan_sources.tgz" in c.out