Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: verify integrity signature when downloading from npm registry #432

Merged
merged 28 commits into from
Apr 12, 2024

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Mar 17, 2024

When the user has not provided any hash (so when running corepack up/corepack use …), and the package manager is downloaded from the npm registry, we can verify the signature.

Related to #10.

BREAKING CHANGE: attempting to download a version from the npm registry (or a mirror) that was published using the now deprecated PGP signature (Yarn ≤1.22.18, Yarn Berry ≤4.0.0-rc.43, pnpm ≤8.4.0) without providing a hash will trigger an error. Users can disable the signature verification by setting COREPACK_INTEGRITY_KEYS="".

config.json Outdated Show resolved Hide resolved
@aduh95 aduh95 marked this pull request as ready for review March 22, 2024 10:39
sources/corepackUtils.ts Outdated Show resolved Hide resolved
sources/types.ts Outdated Show resolved Hide resolved
@@ -200,7 +204,7 @@ export async function installVersion(installTarget: string, locator: Locator, {s

stream.pipe(sendTo);

const algo = build[0] ?? `sha256`;
const algo = build[0] ?? `sha512`;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why switching to sha512?

Copy link
Contributor Author

@aduh95 aduh95 Mar 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because that’s what npm registry uses for the signature: they sign a combination of the package name & version and the SHA512 of the package archive. See https://docs.npmjs.com/verifying-registry-signatures for reference.

sources/corepackUtils.ts Outdated Show resolved Hide resolved
@aduh95 aduh95 enabled auto-merge (squash) April 12, 2024 21:24
@aduh95 aduh95 merged commit e561dd0 into main Apr 12, 2024
10 checks passed
@aduh95 aduh95 deleted the verify-signature branch April 12, 2024 22:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants