fix: error when passing signature without keys

[feelepxyz]

Raise an error when the package has a signature, verifySignatures is true and there are no registry keys configured to match an error case we had set up in the CLI.

Updated the error message and fixed the undefined name@version in the error message to match the test cases here:
npm/cli#4827

Possible anti-pattern: I've attached a bunch of error attributes if the signature is invalid so we can present this in the json output to ease debugging.

Related: #170

[feelepxyz]

@wraithgar thoughts on these changes? I made them to line up with the test suite in the cli pr: npm/cli#4827

[wraithgar]

The way it works now was intentional, and was an attempt at letting us move forward more quickly without friction. With this PR's behavior, if this is a cli flag that someone turned on then every package from every other registry would start erroring immediately.

[wraithgar]

I see now that you're addressing a slightly different case than I was originally thinking. If there are signatures in the packument, but we don't have keys that is not the use case considering. I was only considering the absence of public keys at all.

I think, in a very narrow sense, that "If we were asked to verify signatures, and there are signatures, but we don't have a public key" should be an error state.

Just wanna put it out there though that "If we were asked to verify signatures, and there is no public key" is not, on its own, an error state.

[feelepxyz]

I think, in a very narrow sense, that "If we were asked to verify signatures, and there are signatures, but we don't have a public key" should be an error state.

👍

Just wanna put it out there though that "If we were asked to verify signatures, and there is no public key" is not, on its own, an error state.

Agreed!

[feelepxyz]

@wraithgar I think this PR is now good to go!