feat: add npm audit signatures #4827
Conversation
|
@wraithgar @ljharb thanks for the quick feedback, much appreciated! 🙇 I'm away next week so won't be getting to this until I'm back. |
|
@feelepxyz that's fine, it'll give us enough time to react to this and hopefully move some of this logic into pacote proper. |
|
Ah good spot, I think this should be reversed, wanted to check the key used
for the signature hasn’t expired before the version was created in case we
need to backdate an expiry due to a compromise. Might be worth thinking
through this scenario again though. At the very least we should check the
key is still valid today.
…On Sat, 30 Apr 2022 at 00:49, Jordan Harband ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In lib/utils/verify-signatures.js
<#4827 (comment)>:
> + const { homepage } = packument
+
+ const registry = fetch.pickRegistry(spec, this.npm.flatOptions)
+
+ const versionPackument = pickManifest(packument, version, this.npm.flatOptions)
+ const versionCreated = packument.time && packument.time[version]
+ const dist = versionPackument.dist || {}
+ const { integrity } = dist
+ const message = `${name}@${version}:${integrity}`
+ const signatures = dist.signatures || []
+ const keys = (await this.getKeys({ registry })) || []
+ const validKeys = keys.filter((publicKey) => {
+ if (!publicKey.expires) {
+ return true
+ }
+ return Date.parse(versionCreated) < Date.parse(publicKey.expires)
It could be, if the local system's clock and the registry's clock aren't
the same.
—
Reply to this email directly, view it on GitHub
<#4827 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAE5RPVKCJSFMDMKBTHLBLVHRYPZANCNFSM5UWC6WCQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
feelepxyz
force-pushed
the
validate-registry-signatures
branch
2 times, most recently
from
a7c78e7
to
0def984
Compare
feelepxyz
force-pushed
the
validate-registry-signatures
branch
from
09a73ed
to
e67e5db
Compare
Raise an error when the package has a signature, `verifySignatures` is true and there are no registry keys configured. Updated the error message and fixed the undefined name@version in the error message to match the test cases here: npm/cli#4827 Possible anti-pattern: I've attached a bunch of error attributes if the signature is invalid so we can present this in the json output to ease debugging.
Raise an error when the package has a signature, `verifySignatures` is true and there are no registry keys configured. Updated the error message and fixed the undefined name@version in the error message to match the test cases here: npm/cli#4827 Possible anti-pattern: I've attached a bunch of error attributes if the signature is invalid so we can present this in the json output to ease debugging.
|
@wraithgar I think this is ready for more thorough review now, I've updated to use your pacote changes, but pending these changes in my pacote PR 🙇 |
Good shout, currently it just ignores it and runs on the current install but maybe better to error unless it should work? I have never really used global so not sure what makes sense. |
|
Are the signatures being audited in the installed package.json, or in the lockfile? Global installs don't have a lockfile. |
The ones installed from the lockfile. I've added an error case if running with the global flag, looks like this is done for a few commands already. Once we roll this into |
feelepxyz
force-pushed
the
validate-registry-signatures
branch
from
76510af
to
0dc9964
Compare
|
@feelepxyz let me know when you're done with this iteration of the thread and I'll fix the package/lock conflicts. |
Nice one, I'm all done 👍 |
wraithgar
force-pushed
the
validate-registry-signatures
branch
2 times, most recently
from
dcabb3c
to
f488165
Compare
|
@feelepxyz all done. How do you feel about squashing the commits in this PR while we wait for it to land? We're likely gonna have at least one more conflict w/ the package lock before we can land this and it'd be way easier to suss out if we hit "reset" and squash the commits so far. |
|
Yes sounds good, happy to squash the commits 👌
…On Thu, 23 Jun 2022 at 17:53, Gar ***@***.***> wrote:
@feelepxyz <https://github.com/feelepxyz> all done. How do you feel about
squashing the commits in this PR while we wait for it to land? We're likely
gonna have at least one more conflict w/ the package lock before we can
land this and it'd be way easier to suss out if we hit "reset" and squash
the commits so far.
—
Reply to this email directly, view it on GitHub
<#4827 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAE5RLD6Y5ZVFISSEPDVADVQSB6BANCNFSM5UWC6WCQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Great! The branch is all yours. |
feelepxyz
force-pushed
the
validate-registry-signatures
branch
3 times, most recently
from
32bdfca
to
48e1b44
Compare
wraithgar
force-pushed
the
validate-registry-signatures
branch
from
48e1b44
to
b51a9f7
Compare
Implemenents [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. Supporting: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - Output: json/human formats Co-authored-by: Michael Garvin <wraithgar@github.com>
feelepxyz
force-pushed
the
validate-registry-signatures
branch
from
b51a9f7
to
3ae53e4
Compare
|
docs are preliminary, @feelepxyz can expand on them in another PR. |
Update command documentation for `npm audit signatures` added in this PR: #4827
fix: Update docs for audit signatures cmd Update command documentation for `npm audit signatures` added in this PR: #4827
Implements RFC: Improve signature verification
Adds a new sub-command to
audit:npm audit signatures(followingnpm audit licenses)This command will verify registry signatures stored in the packument against a public key on the registry.
It supports:
host/-/npm/v1/keysendpoint and providessignaturesin the packumentdistobjecthost/-/npm/v1/keys