Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: verify integrity signature when downloading from npm registry #432

Merged
merged 28 commits into from Apr 12, 2024
Merged

feat: verify integrity signature when downloading from npm registry #432

merged 28 commits into from Apr 12, 2024

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Mar 17, 2024
edited

When the user has not provided any hash (so when running corepack up/corepack use …), and the package manager is downloaded from the npm registry, we can verify the signature.

Related to #10.

BREAKING CHANGE: attempting to download a version from the npm registry (or a mirror) that was published using the now deprecated PGP signature (Yarn ≤1.22.18, Yarn Berry ≤4.0.0-rc.43, pnpm ≤8.4.0) without providing a hash will trigger an error. Users can disable the signature verification by setting COREPACK_INTEGRITY_KEYS="".

aduh95
aduh95 commented Mar 22, 2024
View reviewed changes
config.json Outdated Show resolved Hide resolved
@aduh95 aduh95 marked this pull request as ready for review March 22, 2024 10:39
arcanis
arcanis reviewed Mar 27, 2024
View reviewed changes
sources/corepackUtils.ts Outdated Show resolved Hide resolved
sources/types.ts Outdated Show resolved Hide resolved
sources/corepackUtils.ts
@@ -200,7 +204,7 @@ export async function installVersion(installTarget: string, locator: Locator, {s

stream.pipe(sendTo);

const algo = build[0] ?? `sha256`;
const algo = build[0] ?? `sha512`;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why switching to sha512?

Copy link
Contributor Author

@aduh95 aduh95 Mar 27, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because that’s what npm registry uses for the signature: they sign a combination of the package name & version and the SHA512 of the package archive. See https://docs.npmjs.com/verifying-registry-signatures for reference.

aduh95
aduh95 commented Mar 30, 2024
View reviewed changes
sources/corepackUtils.ts Outdated Show resolved Hide resolved
@aduh95 aduh95 enabled auto-merge (squash) April 12, 2024 21:24
@aduh95 aduh95 merged commit e561dd0 into main Apr 12, 2024
10 checks passed
@aduh95 aduh95 deleted the verify-signature branch April 12, 2024 22:49
@github-actions github-actions bot mentioned this pull request Apr 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arcanis arcanis arcanis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@aduh95 @arcanis