Add built-in ECDSA-SHA256 XML signature support

[Copilot]

This adds first-class support for elliptic-curve XML signatures, specifically http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256. It also adds interoperability coverage with a valid externally generated ECDSA XML signature.

• Signature algorithm support

  • Register ecdsa-sha256 in SignedXml.signatureAlgorithms
  • Implement ECDSA signing and verification for PEM EC keys
  • Handle XMLDSIG ECDSA SignatureValue in raw r || s form, including fixed-width encoding per curve order

• Interoperability coverage

  • Add a valid externally generated ECDSA-SHA256 signed XML fixture
  • Verify that the library accepts an existing standards-compliant EC signature, not just signatures it generates itself

• Regression tests

  • Add focused tests for:
    • verifying an external ECDSA-SHA256 XML signature
    • generating and verifying an ECDSA-SHA256 signature in-library

• Docs

  • Document ECDSA-SHA256 as a supported signature algorithm in the README

Example:

final sig = SignedXml()
  ..signingKey = File('ecdsa_private.pem').readAsBytesSync()
  ..signatureAlgorithm =
      'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256'
  ..addReference(
    "//*[local-name()='book']",
    ['http://www.w3.org/2001/10/xml-exc-c14n#'],
    'http://www.w3.org/2001/04/xmlenc#sha256',
  );

sig.computeSignature(xml);

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json
  • Triggering command: /dependabot-proxy /dependabot-proxy 5e7a95e21dca4817f4bc4ffdeb75aa2eb952bf807bfdc22dcd63297620f74d94 f871bcd0d8d48ad6-t /usr/lib/git-corfilter orig�� a3091003:pubspecDOCKER (http block)
  • Triggering command: /dependabot-proxy /dependabot-proxy start 5e7a95e21dca4817f4bc4ffdeb75aa2eb952bf807bfdc22dcd63297620f74d94 /usr/lib/git-corfilter pack�� md --revs k/_temp/ghcca-nobr-5670be8cd6a7 c93637d2573f5335691415bc16e36833220/log.json --delta-base-off--wait -q git --no�� submodules | heaDOCKER_OUTPUT -- /home/REDACTED/.co127.0.0.11 609428e4f3eeeaa2bash c93637d2573f5335691415bc16e36833220/33c4af9e547ca384c3183a31b1dd032b10a0b952a3ce05d4ab94de37a8e6ec8a.pid it git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Adds first-class ECDSA-SHA256 XMLDSIG support (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256) to SignedXml, along with fixtures, tests, and documentation updates to validate interoperability and in-library signing.

Changes:

• Register and implement ecdsa-sha256 signing/verification, including XMLDSIG raw r || s SignatureValue encoding/decoding.
• Add external ECDSA signature + EC PEM fixtures and new ECDSA-focused tests.
• Update README supported algorithms and add new crypto dependencies.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
lib/src/signed_xml.dart	Adds ECDSA-SHA256 signature algorithm implementation and raw `r
pubspec.yaml	Adds basic_utils + pointycastle dependencies; updates false_secrets exclusions for test key material.
README.md	Documents ECDSA-SHA256 as a supported signature algorithm; fixes a formatting issue in “Who Uses”.
test/ecdsa_test.dart	Adds tests for verifying an external ECDSA signature and generating/verifying ECDSA signatures in-library.
test/static/ecdsa_signature.xml	Adds an externally-generated ECDSA-SHA256 signed XML fixture for interoperability coverage.
test/static/ecdsa_public.pem	Adds EC public key fixture used for ECDSA verification tests.
test/static/ecdsa_private.pem	Adds EC private key fixture used for ECDSA signing tests.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.