Fix audit signatures for expired keys #284
Closed
Commits on Jul 5, 2023
-
Fix audit signatures for expired keys
The current implementation of verifySignatures and verifyAttestations assumes the verification keys never expire as its checking if expiry is in the past, this means we can never roll these keys and verify old signatures that where signed with a still valid signing key. Kudos to @bdehamer for spotting this bug. This changes the key selector to allow keys that where valid before the package was published so we can roll new keys in future. There's an accompanying change required in npm-pick-manifest to expose the publish time. If this is not set I opted to use a fallback date, this isn't pretty but seems better than ignoring packages that don't have created at time? Open to suggeststions here! TODO: - Introduce `_time` in https://github.com/npm/npm-pick-manifest - Add a test for very old packages that don't have `time` in packument Signed-off-by: Philip Harrison <philip@mailharrison.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.