feat: verify integrity signature when downloading from npm registry

config.json

@@ -160,5 +160,16 @@
         }
       }
     }
+  },
+  "keys": {
+    "npm": [
+      {
+        "expires": null,
+        "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
+        "keytype": "ecdsa-sha2-nistp256",
+        "scheme": "ecdsa-sha2-nistp256",
+        "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="
+      }
+    ]
   }
-}
+}

sources/corepackUtils.ts

@@ -1,4 +1,4 @@
-import {createHash}                                            from 'crypto';
+import {createHash, createVerify}                              from 'crypto';
 import {once}                                                  from 'events';
 import {FileHandle}                                            from 'fs/promises';
 import fs                                                      from 'fs';
@@ -8,6 +8,8 @@ import path                                                    from 'path';
 import semver                                                  from 'semver';
 import {setTimeout as setTimeoutPromise}                       from 'timers/promises';
 
+import defaultConfig                                           from '../config.json';
+
 import * as engine                                             from './Engine';
 import * as debugUtils                                         from './debugUtils';
 import * as folderUtils                                        from './folderUtils';
@@ -159,12 +161,14 @@ export async function installVersion(installTarget: string, locator: Locator, {s
   }
 
   let url: string;
+  let signatures: Array<{keyid: string, sig: string}>;
+  let integrity: string;
   if (locatorIsASupportedPackageManager) {
     url = spec.url.replace(`{}`, version);
     if (process.env.COREPACK_NPM_REGISTRY) {
       const registry = getRegistryFromPackageManagerSpec(spec);
       if (registry.type === `npm`) {
-        url = await npmRegistryUtils.fetchTarballUrl(registry.package, version);
+        ({tarball: url, signatures, integrity} = await npmRegistryUtils.fetchTarballURLAndSignature(registry.package, version));
       } else {
         url = url.replace(
           npmRegistryUtils.DEFAULT_NPM_REGISTRY_URL,
@@ -200,7 +204,7 @@ export async function installVersion(installTarget: string, locator: Locator, {s
 
   stream.pipe(sendTo);
 
-  const algo = build[0] ?? `sha256`;
+  const algo = build[0] ?? `sha512`;
   const hash = stream.pipe(createHash(algo));
   await once(sendTo, `finish`);
 
@@ -234,7 +238,37 @@ export async function installVersion(installTarget: string, locator: Locator, {s
     }
   }
 
-  const actualHash = hash.digest(`hex`);
+  const actualHash: string = hash.digest(`hex`);
+  if (!build[1]) {
+    const registry = getRegistryFromPackageManagerSpec(spec);
+    if (registry.type === `npm` && !process.env.COREPACK_NPM_REGISTRY) {
+      if (signatures! == null || integrity! == null)
+        ({signatures, integrity} = (await npmRegistryUtils.fetchTarballURLAndSignature(registry.package, version)));
+      const {npm: keys} = defaultConfig.keys;
+      const key = keys.find(({keyid}) => signatures.some(s => s.keyid === keyid));
+      const signature = signatures.find(({keyid}) => keyid === key?.keyid);
+      switch (key?.keytype) {
+        case `ecdsa-sha2-nistp256`: {
+          const message = `${registry.package}@${version}:${integrity}`;
+          const verifier = createVerify(`SHA256`);
+          verifier.write(message);
+          verifier.end();
+          const valid = verifier.verify(
+            `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
+            signature!.sig,
+            `base64`,
+          );
+          if (!valid)
+            throw new Error(`Signature does not match`);
+          break;
+        }
+
+        default: throw new Error(`Unsupported signature key`, {cause: key});
+      }
+      // @ts-expect-error ignore readonly
+      build[1] = Buffer.from(integrity.slice(`sha512-`.length), `base64`).toString(`hex`);
+    }
+  }
   if (build[1] && actualHash !== build[1])
     throw new Error(`Mismatch hashes. Expected ${build[1]}, got ${actualHash}`);
 

sources/npmRegistryUtils.ts

@@ -49,15 +49,15 @@ export async function fetchAvailableVersions(packageName: string) {
   return Object.keys(metadata.versions);
 }
 
-export async function fetchTarballUrl(packageName: string, version: string) {
+export async function fetchTarballURLAndSignature(packageName: string, version: string) {
   const metadata = await fetchAsJson(packageName);
   const versionMetadata = metadata.versions?.[version];
   if (versionMetadata === undefined)
     throw new Error(`${packageName}@${version} does not exist.`);
 
-  const {tarball} = versionMetadata.dist;
+  const {tarball, signatures, integrity} = versionMetadata.dist;
   if (tarball === undefined || !tarball.startsWith(`http`))
     throw new Error(`${packageName}@${version} does not have a valid tarball.`);
 
-  return tarball;
+  return {tarball, signatures, integrity};
 }

sources/types.ts

@@ -96,6 +96,10 @@ export interface Config {
       };
     };
   };
+
+  keys: {
+    [registry: string]: Array<{"expires": null, "keyid": string, "keytype": string, "scheme": string, "key": string}>;
+  };
 }
 
 /**

tests/Up.test.ts

@@ -23,7 +23,7 @@ describe(`UpCommand`, () => {
       });
 
       await expect(xfs.readJsonPromise(ppath.join(cwd, `package.json`))).resolves.toMatchObject({
-        packageManager: `yarn@2.4.3+sha256.8c1575156cfa42112242cc5cfbbd1049da9448ffcdb5c55ce996883610ea983f`,
+        packageManager: `yarn@2.4.3+sha512.8dd9fedc5451829619e526c56f42609ad88ae4776d9d3f9456d578ac085115c0c2f0fb02bb7d57fd2e1b6e1ac96efba35e80a20a056668f61c96934f67694fd0`,
       });
 
       await expect(runCli(cwd, [`yarn`, `--version`])).resolves.toMatchObject({

tests/Use.test.ts

@@ -22,7 +22,7 @@ describe(`UseCommand`, () => {
       });
 
       await expect(xfs.readJsonPromise(ppath.join(cwd, `package.json`))).resolves.toMatchObject({
-        packageManager: `yarn@1.22.4+sha256.bc5316aa110b2f564a71a3d6e235be55b98714660870c5b6b2d2d3f12587fb58`,
+        packageManager: `yarn@1.22.4+sha512.a1833b862fe52169bd6c2a033045a07df5bc6a23595c259e675fed1b2d035ab37abe6ce309720abb6636d68f03615054b6292dc0a70da31c8697fda228b50d18`,
       });
 
       await expect(runCli(cwd, [`yarn`, `--version`])).resolves.toMatchObject({
@@ -40,7 +40,7 @@ describe(`UseCommand`, () => {
       });
 
       await expect(xfs.readJsonPromise(ppath.join(cwd, `package.json`))).resolves.toMatchObject({
-        packageManager: `yarn@1.22.4+sha256.bc5316aa110b2f564a71a3d6e235be55b98714660870c5b6b2d2d3f12587fb58`,
+        packageManager: `yarn@1.22.4+sha512.a1833b862fe52169bd6c2a033045a07df5bc6a23595c259e675fed1b2d035ab37abe6ce309720abb6636d68f03615054b6292dc0a70da31c8697fda228b50d18`,
       });
 
       await expect(runCli(cwd, [`yarn`, `--version`])).resolves.toMatchObject({

tests/config.test.ts

@@ -0,0 +1,14 @@
+import {jest, describe, it, expect} from '@jest/globals';
+
+import defaultConfig                from '../config.json';
+import {DEFAULT_NPM_REGISTRY_URL}   from '../sources/npmRegistryUtils';
+
+jest.mock(`../sources/httpUtils`);
+
+describe(`key store should be up-to-date`, () => {
+  it(`should contain up-to-date npm keys`, async () => {
+    const r = await globalThis.fetch(new URL(`/-/npm/v1/keys`, DEFAULT_NPM_REGISTRY_URL));
+    expect(r.ok).toBe(true);
+    expect(r.json()).resolves.toMatchObject({keys: defaultConfig.keys.npm});
+  });
+});