Skip to content

Commit

Permalink
feat: add npm audit signatures
Browse files Browse the repository at this point in the history
Implemenents [RFC: Improve signature verification](npm/rfcs#550)

Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452))

This command will verify registry signatures stored in the packument against a public key on the registry.

Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats

Co-authored-by: Michael Garvin <wraithgar@github.com>
  • Loading branch information
feelepxyz and wraithgar committed Jun 30, 2022
1 parent 0ce09f1 commit 3ae53e4
Show file tree
Hide file tree
Showing 5 changed files with 2,071 additions and 9 deletions.
Loading

0 comments on commit 3ae53e4

Please sign in to comment.