Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[npm] Verify publish attestations from npm package signing keys #547

Closed
asraa opened this issue Mar 27, 2023 · 4 comments
Closed

[npm] Verify publish attestations from npm package signing keys #547

asraa opened this issue Mar 27, 2023 · 4 comments
Assignees
@ramonpetgrave64
Labels
area:npm An issue with verification of npm packages type:feature New feature request

Comments

@asraa
Copy link
Contributor

asraa commented Mar 27, 2023

The npm package signing key will be distributed through Sigstore's TUF root as of next week.

The target will be found at registry.npmjs.org/keys.json and has a format like this:https://raw.githubusercontent.com/sigstore/root-signing/f3ebf7f951e021d2b1ad94735d33af7f7834793f/repository/staged/targets/registry.npmjs.org/keys.json

where there is a signatures key and an attestations key.

To get this file in bytes, you can use the sigstore/sigstore TUF client like this:

	tufClient, err := tuf.NewFromEnv(context.Background())
	if err != nil {
		check(err)
	}
       keysFileBytes, err := tufClient.GetTarget(registry.npmjs.org/keys.json)
	if err != nil {
		check(err)
	}

The format of this file is defined loosely from the protobufs, at least the PublicKeys are from this proto
@laurentsimon
Copy link
Contributor

Thanks @asraa

So this is for the provenance signing, correct? Or the publish attestation?

In terms of backward compatibility, does this mean we can drop support for previously-generated attestations entirely?

@asraa
Copy link
Contributor Author

asraa commented Mar 29, 2023

This is the publish attestation - the provenance signing is still always happening with GitHub OIDC.

@asraa
Copy link
Contributor Author

asraa commented Mar 29, 2023

Ah! Clarified offline - the keys in the tuf root are the same as the ones that were hard-coded

slsa-verifier/verifiers/internal/gha/npm.go

Line 29 in b01cb9d

NOTE: key available at https://registry.npmjs.org/-/npm/v1/keys

So it will be compatible :)

@ianlewis ianlewis added type:feature New feature request area:npm An issue with verification of npm packages labels Apr 20, 2023
@ianlewis ianlewis removed this from the Verification of npm packages GA milestone Jun 27, 2023
@ianlewis
Copy link
Member

This is needed by the time npm updates their cert

@laurentsimon laurentsimon mentioned this issue Sep 27, 2023
Merged
@ramonpetgrave64 ramonpetgrave64 self-assigned this Jan 3, 2024
This was referenced Jan 9, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ramonpetgrave64 ramonpetgrave64

Labels
area:npm An issue with verification of npm packages type:feature New feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ianlewis @asraa @ramonpetgrave64 @laurentsimon