npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

sigstore

v3.0.0

Published

code-signing for npm packages

Downloads

20,679,327

Readme

sigstore · npm version CI Status Smoke test

A JavaScript library for generating and verifying Sigstore signatures. One of the intended uses is to sign and verify npm packages but it can be used to sign and verify any file.

Features

  • Support for signing using an OpenID Connect identity
  • Support for publishing signatures to a Rekor instance
  • Support for verifying Sigstore bundles

Prerequisites

  • Node.js version >= 18.17.0

Installation

npm install sigstore

Compatibility

The following table documents which combinations of Sigstore bundle versions and Rekor types can be verified by different versions of the sigstore library. It also lists which sigstore versions were shipped with different npm CLI versions.

Usage

const { attest, verify } = require('sigstore');
import { attest, verify } from 'sigstore';

sign(payload[, options])

Generates a Sigstore signature for the supplied payload. Returns a Sigstore bundle containing the signature and the verification material necessary to verify the signature.

  • payload <Buffer>: The bytes of the artifact to be signed.
  • options <Object>
    • fulcioURL <string>: The base URL of the Fulcio instance to use for retrieving the signing certificate. Defaults to 'https://fulcio.sigstore.dev'.
    • rekorURL <string>: The base URL of the Rekor instance to use when adding the signature to the transparency log. Defaults to 'https://rekor.sigstore.dev'.
    • tsaServerURL <string>: The base URL of the Timestamp Authority instance to use when requesting a signed timestamp. If omitted, no timestamp will be requested.
    • tlogUpload <boolean>: Flag indicating whether or not the signature should be recorded on the Rekor transparency log. Defaults to true.
    • identityToken <string>: The OIDC token identifying the signer. If no explicit token is supplied, an attempt will be made to retrieve one from the environment. This config cannot be used with identityProvider.
    • identityProvider <IdentityProvider>: Object which implements getToken: () => Promise<string>. The supplied provider will be used to retrieve an OIDC token. If no provider is supplied, an attempt will be made to retrieve an OIDC token from the environment. This config cannot be used with identityToken.
    • legacyCompatibility <boolean>: Flag indicating whether to enable legacy compatibility mode. When set to true, the returned bundle will use the Sigstore v0.2 bundle format. When unset or false, the returned bundle will be v0.3 or greater.

attest(payload, payloadType[, options])

Generates a Sigstore signature for the supplied in-toto statement. Returns a Sigstore bundle containing the DSSE-wrapped statement and signature as well as the verification material necessary to verify the signature.

  • payload <Buffer>: The bytes of the statement to be signed.
  • payloadType <string>: MIME or content type describing the statement to be signed.
  • options <Object>
    • fulcioURL <string>: The base URL of the Fulcio instance to use for retrieving the signing certificate. Defaults to 'https://fulcio.sigstore.dev'.
    • rekorURL <string>: The base URL of the Rekor instance to use when adding the signature to the transparency log. Defaults to 'https://rekor.sigstore.dev'.
    • tsaServerURL <string>: The base URL of the Timestamp Authority instance to use when requesting a signed timestamp. If omitted, no timestamp will be requested.
    • tlogUpload <boolean>: Flag indicating whether or not the signed statement should be recorded on the Rekor transparency log. Defaults to true.
    • identityToken <string>: The OIDC token identifying the signer. If no explicit token is supplied, an attempt will be made to retrieve one from the environment. This config cannot be used with identityProvider.
    • identityProvider <IdentityProvider>: Object which implements getToken: () => Promise<string>. The supplied provider will be used to retrieve an OIDC token. If no provider is supplied, an attempt will be made to retrieve an OIDC token from the environment. This config cannot be used with identityToken.
    • legacyCompatibility <boolean>: Flag indicating whether to enable legacy compatibility mode. When set to true, any record written to the Rekor transparency log will use the "intoto" record type and the returned bundle will use the Sigstore v0.2 bundle format. When unset or false, the "dsse" Rekor type will be used and the returned bundle will be v0.3 or greater.

verify(bundle[, payload][, options])

Verifies the signature in the supplied bundle.

  • bundle <Bundle>: The Sigstore bundle containing the signature to be verified and the verification material necessary to verify the signature.
  • payload <Buffer>: The bytes of the artifact over which the signature was created. Only necessary when the sign function was used to generate the signature since the Bundle does not contain any information about the artifact which was signed. Not required when the attest function was used to generate the Bundle.
  • options <Object>
    • ctLogThreshold <number>: The number of certificate transparency logs on which the signing certificate must appear. Defaults to 1.
    • tlogThreshold <number>: The number of transparency logs on which the signature must appear. Defaults to 1.
    • certificateIssuer <string>: Value that must appear in the signing certificate's issuer extension (OID 1.3.6.1.4.1.57264.1.1). Not verified if no value is supplied.
    • certificateIdentityEmail <string>: Email address which must appear in the signing certificate's Subject Alternative Name (SAN) extension. Must be specified in conjunction with the certificateIssuer option. Takes precedence over the certificateIdentityURI option. Not verified if no value is supplied.
    • certificateIdentityURI <string>: URI which must appear in the signing certificate's Subject Alternative Name (SAN) extension. Must be specified in conjunction with the certificateIssuer option. Ignored if the certificateIdentityEmail option is set. Not verified if no value is supplied.
    • certificateOIDs <Object>: A collection of OID/value pairs which must be present in the certificate's extension list. Not verified if no value is supplied.
    • keySelector <Function>: Callback invoked to retrieve the public key (as either string or Buffer) necessary to verify the bundle signature. Not used when the signature was generated from a Fulcio-issued signing certificate.
      • hint <String>: The hint from the bundle used to identify the the signing key.

Credential Sources

GitHub Actions

If sigstore-js detects that it is being executed on GitHub Actions, it will use ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables to request an OIDC token with the correct scope.

Note: the id_token: write permission must be granted to the GitHub Action Job.

See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for more details.

Environment Variables

If the SIGSTORE_ID_TOKEN environment variable is set, it will use this to authenticate to Fulcio. It is the callers responsibility to make sure that this token has the correct scopes.