目录
生成出处声明
目录
你可以为你发布的包生成出处声明。这使你可以公开确定包的构建位置以及包的发布者,这可以提高包的供应链安全性。
¥You can generate provenance statements for the packages you publish. This allows you to publicly establish where a package was built and who published a package, which can increase supply-chain security for your packages.
关于 npm 出处
¥About npm provenance
npm 出处包括两种类型的证明:
¥npm provenance includes two types of attestations:
-
出处证明
¥Provenance attestation
-
发布认证
¥Publish attestation
出处证明是通过公开提供包源代码的链接和来自构建环境的构建说明来建立的。这允许开发者在下载包之前验证包的构建位置和方式。
¥The provenance attestation is established by publicly providing a link to a package's source code and build instructions from the build environment. This allows developers to verify where and how your package was built before they download it.
当授权用户发布包时,发布证明由注册表生成。当一个 npm 包发布时带有出处,它由 Sigstore 公共产品服务器签名并记录在一个公共透明分类帐中,用户可以在其中查看此信息。
¥Publish attestations are generated by the registry when a package is published by an authorized user. When an npm package is published with provenance, it is signed by Sigstore public good servers and logged in a public transparency ledger, where users can view this information.
关于 Sigstore
¥About Sigstore
Sigstore 是一个工具和服务的集合,旨在使使用短期的、临时的证书来签署软件变得容易。它的三个主要组件是 CLI 工具、证书颁发机构和时间戳透明度日志。
¥Sigstore is a collection of tools and services aimed at making it easy to use short-lived, ephemeral certificates to sign software. Its three main components are a CLI tool, a certificate authority, and a time-stamping transparency log.
证书颁发机构与任何包含可验证构建信息的 OIDC 提供商联合。它通过验证 OIDC 令牌的完整性,颁发包含该构建信息的签名证书,然后将签名证书记录到不可变的分类帐中,充当构建系统和包注册表之间的中介。
¥The certificate authority federates with any OIDC provider that includes verifiable build information. It acts as an intermediary between build systems and package registries by verifying the integrity of the OIDC token, issues a signing certificate that contains that build information, and then logging the signing certificate to an immutable ledger.
透明日志服务提供了一个公开的、可验证的、防篡改的签名证明分类账。这确保了公共服务的透明度,并提供了一种方法来检测在包注册表被破坏时试图篡改包的企图。
¥The transparency log service provides a public, verifiable, tamper-evident ledger of signed attestations. This ensures transparency of the public service, as well as providing a way to detect attempts to tamper with a package if a package registry were to be compromised.
出处限制
¥Provenance limitations
-
要发布具有出处的包,你必须使用云托管运行器通过受支持的云 CI/CD 提供商构建包。如今,这包括 GitHub Actions 和 GitLab CI/CD。
¥To publish a package with provenance, you must build your package with a supported cloud CI/CD provider using a cloud-hosted runner. Today this includes GitHub Actions and GitLab CI/CD.
-
当 npm 注册表中的包已确定出处时,它并不能保证该包没有恶意代码。相反,npm provenance 提供了一个指向包源代码和构建说明的可验证链接,开发者随后可以审核并确定是否信任它。欲了解更多信息,请参阅“搜索并选择要下载的包”。
¥When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not. For more information, see "Searching for and choosing packages to download."
先决条件
¥Prerequisites
在你可以发布带有出处的包之前,你必须:
¥Before you can publish your packages with provenance, you must:
-
查看适用于公共透明度日志的 Linux 基金会不可变记录通知。
¥Review the Linux Foundation Immutable Record notice, which applies to the public transparency log.
-
安装最新版本的 npm CLI(确保你使用的是
9.5.0+,因为旧版本不支持 npm 出处)。欲了解更多信息,请参阅“尝试最新稳定版 npm”。¥Install the latest version of the npm CLI (ensure you are on
9.5.0+as older versions don't support npm provenance). For more information, see "Try the latest stable version of npm." -
确保你的
package.json配置了与你发布来源匹配的公共repository。¥Ensure your
package.jsonis configured with a publicrepositorythat matches where you are publishing with provenance from. -
使用受支持的 CI/CD 提供商设置自动化,将包发布到 npm 注册表。支持以下提供商:
¥Set up automation with a supported CI/CD provider to publish your packages to the npm registry. The following providers are supported:
-
GitHub Actions。欲了解更多信息,请参阅“通过 GitHub Actions 发布带有来源的包”。
¥GitHub Actions. For more information, see "Publishing packages with provenance via GitHub Actions."
-
GitLab CI/CD。欲了解更多信息,请参阅“通过 GitLab CI/CD 发布具有出处的包”。
¥GitLab CI/CD. For more information, see "Publishing packages with provenance via GitLab CI/CD."
-
通过 GitHub Actions 发布带有来源的包
¥Publishing packages with provenance via GitHub Actions
为了确定出处,你必须使用受支持的云 CI/CD 提供商和云托管的运行器来发布你的包。GitHub Actions 是一个受支持的 CI/CD 平台,可让你自动执行软件开发任务。有关详细信息,请参阅 GitHub 文档中的 GitHub Actions。
¥In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitHub Actions is a supported CI/CD platform that allows you to automate software development tasks. For more information, see GitHub Actions in the GitHub documentation.
要更新 GitHub Actions 工作流程以发布带有来源的包,你必须:
¥To update your GitHub Actions workflow to publish your packages with provenance, you must:
-
授予铸造 ID 令牌的权限:
¥Give permission to mint an ID-token:
permissions:id-token: write -
在 GitHub 托管的运行器 上运行:
¥Run on a GitHub-hosted runner:
runs-on: ubuntu-latest -
将
--provenance标志添加到你的发布命令:¥Add the
--provenanceflag to your publish command:npm publish --provenance -
如果你是第一次发布包,你还需要显式设置对公共的访问:
¥If you are publishing a package for the first time you will also need to explicitly set access to public:
npm publish --provenance --access public
GitHub Actions 工作流程示例
¥Example GitHub Actions workflow
此示例工作流将包发布到 npm 注册表,并附上出处。
¥This example workflow publishes a package to the npm registry with provenance.
name: Publish Package to npmjson:release:types: [created]jobs:build:runs-on: ubuntu-latestpermissions:contents: readid-token: writesteps:- uses: actions/checkout@v3- uses: actions/setup-node@v3with:node-version: '18.x'registry-url: 'https://registry.npmjs.org'- run: npm install -g npm- run: npm ci- run: npm publish --provenance --access publicenv:NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
GitLab CI 作业示例
¥Example GitLab CI job
当推送 git 标签时,此示例作业将包发布到 npm 注册表并提供来源。不要忘记在 GitLab 项目设置中定义 NPM_TOKEN 变量。
¥This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don’t forget to define the NPM_TOKEN variable in your GitLab project settings.
publish:image: 'node:20'rules:- if: $CI_COMMIT_TAGid_tokens:SIGSTORE_ID_TOKEN:aud: sigstorescript:- npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"- npm publish --provenance --access public
使用第三方包发布工具
¥Using third-party package publishing tools
如果你使用不直接调用 npm publish 命令的工具��发布你的包,你可以在 GitHub Actions 工作流程中执行以下操作之一以发布你的包和出处。
¥If you publish your packages with tools that do not directly invoke the npm publish command, you can do one of the following in your GitHub Actions workflow to publish your packages with provenance.
-
配置环境变量:在 GitHub Actions 工作流程中,你可以使用名为
NPM_CONFIG_PROVENANCE的环境变量,并将其设置为true。¥Configure environment variables: In your GitHub Actions workflow, you can use an environment variable called
NPM_CONFIG_PROVENANCE, and set it totrue. -
配置你的
package.json文件:你可以将publishConfig块添加到你的package.json文件中:¥Configure your
package.jsonfile: You can add apublishConfigblock to yourpackage.jsonfile:"publishConfig": {"provenance": true}, -
添加
.npmrc文件:你可以使用以下条目将.npmrc文件添加到你的项目中:¥Add an
.npmrcfile: You can add an.npmrcfile to your project with the following entry:provenance=true
注意:目前,yarn 不是用于发布带有来源的包的受支持工具。
¥Note: At this time, yarn is not a supported tool for publishing your packages with provenance.
通过 GitLab CI/CD 发布具有出处的包
¥Publishing packages with provenance via GitLab CI/CD
为了确定出处,你必须使用受支持的云 CI/CD 提供商和云托管的运行器来发布你的包。GitLab CI/CD 是一个受支持的 CI/CD 平台,可让你自动执行软件开发任务。有关更多信息,请参阅 GitLab 文档中的 在 GitLab CI/CD 中生成来源。
¥In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitLab CI/CD is a supported CI/CD platform that allows you to automate software development tasks. For more information, see Generating provenance in GitLab CI/CD in the GitLab documentation.