对发布到公共 npm 注册表的包进行签名,以便检测包内容是否被篡改。
🌐 Packages published to the public npm registry are signed to make it possible to detect if the package content has been tampered with.
对已发布的包进行签名和验证可以防止攻击者控制注册表镜像或代理,他们试图在其中拦截和篡改包 tarball 内容。
🌐 Signing and verifying published packages protects against an attacker controlling a registry mirror or proxy where they attempt to intercept and tamper with the package tarball content.
🌐 Migrating from PGP to ECDSA signatures
注意: 基于 PGP 的注册表签名已于 2023 年 4 月 25 日 被弃用,并由 ECDSA 注册表签名取代。
公共 npm 注册表正在从现有的 PGP 签名迁移到更紧凑的 ECDSA 签名,无需在 npm CLI 中额外依赖即可进行验证。
🌐 The public npm registry is migrating away from the existing PGP signatures to ECDSA signatures that are more compact and can be verified without extra dependencies in the npm CLI.
签名验证以前是一个多步骤过程,涉及 Keybase CLI,以及从包元数据中手动检索和解析签名。
🌐 Signature verification was previously a multi-step process involving the Keybase CLI, as well as manually retrieving and parsing the signature from the package metadata.
了解有关使用 npm CLI 迁移和验证签名 的更多信息。
🌐 Read more about migrating and verifying signatures using the npm CLI.
🌐 Supporting signatures on third-party registries
如果遵循以下约定,npm CLI 支持任何注册表提供的注册表签名和签名密钥:
🌐 The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:
1. 每个已发布版本的包中,都在 dist 对象的 packument 中提供了签名:
"dist":{..omitted..,"signatures": [{"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}","sig": "a312b9c3cb4a1b693e8ebac5ee1ca9cc01f2661c14391917dcb111517f72370809..."}],
请参见这个来自公共 npm 注册表的已签名包示例 example。
🌐 See this example of a signed package from the public npm registry.
要生成签名,请对包名、版本和 tarball sha 完整性进行签名:${package.name}@${package.version}:${package.dist.integrity}。
🌐 To generate the signature, sign the package name, version and tarball sha integrity: ${package.name}@${package.version}:${package.dist.integrity}.
目前的最佳实践是使用一个密钥管理系统,在硬件安全模块 (HSM)上执行签名操作,以避免直接处理私钥部分,从而减少攻击面。
🌐 The current best practice is to use a Key Management System that does the signing operation on a Hardware Security Module (HSM) in order to not directly handle the private key part, which reduces the attack surface.
keyid 必须与下面的一个公用签名密钥匹配。
🌐 The keyid must match one of the public signing keys below.
2. 公共签名密钥可在 registry-host.tld/-/npm/v1/keys 提供,格式如下:
{"keys": [{"expires": null,"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}","keytype": "ecdsa-sha2-nistp256","scheme": "ecdsa-sha2-nistp256","key": "{{B64_PUBLIC_KEY}}"}]}
键响应:
🌐 Keys response:
expires:空或简化扩展的 ISO 8601 格式:YYYY-MM-DDTHH:mm:ss.sssZkeyid:公钥的 sha256 指纹keytype:当前 npm CLI 仅支持 ecdsa-sha2-nistp256scheme:当前 npm CLI 仅支持 ecdsa-sha2-nistp256key:base64 编码的公钥请参阅来自公共 npm 注册表的这个示例密钥的响应。
🌐 See this example key's response from the public npm registry.