对发布到公共 npm 注册表的包进行签名,以便检测包内容是否被篡改。

Packages published to the public npm registry are signed to make it possible to detect if the package content has been tampered with.

对已发布的包进行签名和验证可以防止攻击者控制注册表镜像或代理,他们试图在其中拦截和篡改包 tarball 内容。

Signing and verifying published packages protects against an attacker controlling a registry mirror or proxy where they attempt to intercept and tamper with the package tarball content.

从 PGP 迁移到 ECDSA 签名

Migrating from PGP to ECDSA signatures

注意:基于 PGP 的注册表签名已于 2023 年 4 月 25 日弃用,并由 ECDSA 注册表签名取代。

Note: PGP-based registry signatures were deprecated on April 25th 2023 and replaced by ECDSA registry signatures.

公共 npm 注册表正在从现有的 PGP 签名迁移到更紧凑的 ECDSA 签名,无需在 npm CLI 中额外依赖即可进行验证。

The public npm registry is migrating away from the existing PGP signatures to ECDSA signatures that are more compact and can be verified without extra dependencies in the npm CLI.

签名验证以前是一个多步骤过程,涉及 Keybase CLI,以及从包元数据中手动检索和解析签名。

Signature verification was previously a multi-step process involving the Keybase CLI, as well as manually retrieving and parsing the signature from the package metadata.

使用 npm CLI 阅读有关 迁移和验证签名 的更多信息。

Read more about migrating and verifying signatures using the npm CLI.

支持第三方注册签名

Supporting signatures on third-party registries

如果遵循以下约定,npm CLI 支持任何注册表提供的注册表签名和签名密钥:

The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:

1.

"dist":{
..omitted..,
"signatures": [{
"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
"sig": "a312b9c3cb4a1b693e8ebac5ee1ca9cc01f2661c14391917dcb111517f72370809..."
}],

请参阅此 来自公共 npm 注册表的签名包的示例

See this example of a signed package from the public npm registry.

要生成签名,请签署包名称、版本和 tarball sha 完整性:${package.name}@${package.version}:${package.dist.integrity}

To generate the signature, sign the package name, version and tarball sha integrity: ${package.name}@${package.version}:${package.dist.integrity}.

当前的最佳实践是使用 密钥管理系统硬件安全模块 (HSM) 上进行签名操作,以便不直接处理私钥部分,从而减少攻击面。

The current best practice is to use a Key Management System that does the signing operation on a Hardware Security Module (HSM) in order to not directly handle the private key part, which reduces the attack surface.

keyid 必须与下面的公共签名密钥之一匹配。

The keyid must match one of the public signing keys below.

2.

{
"keys": [{
"expires": null,
"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"key": "{{B64_PUBLIC_KEY}}"
}]
}

键响应:

Keys response:

  • expires:null 或简化的扩展 ISO 8601 格式YYYY-MM-DDTHH:mm:ss.sssZ

    expires: null or a simplified extended ISO 8601 format: YYYY-MM-DDTHH:mm:ss.sssZ

  • keydid:公钥的 sha256 指纹

    keydid: sha256 fingerprint of the public key

  • keytype:npm CLI 当前仅支持 ecdsa-sha2-nistp256

    keytype: only ecdsa-sha2-nistp256 is currently supported by the npm CLI

  • scheme:npm CLI 当前仅支持 ecdsa-sha2-nistp256

    scheme: only ecdsa-sha2-nistp256 is currently supported by the npm CLI

  • key:base64 编码的公钥

    key: base64 encoded public key

请参阅此 来自公共 npm 注册表的示例密钥响应

See this example key's response from the public npm registry.

npm 中文网 - 粤ICP备13048890号