MCPcopy Index your code
hub / github.com/nodejs/corepack / verifySignature

Function verifySignature

sources/npmRegistryUtils.ts:35–68  ·  view source on GitHub ↗
({signatures, integrity, packageName, version}: {
  signatures: Array<{keyid: string, sig: string}>;
  integrity: string;
  packageName: string;
  version: string;
})

Source from the content-addressed store, hash-verified

33}
34
35export function verifySignature({signatures, integrity, packageName, version}: {
36 signatures: Array<{keyid: string, sig: string}>;
37 integrity: string;
38 packageName: string;
39 version: string;
40}) {
41 if (!Array.isArray(signatures) || !signatures.length) throw new Error(`No compatible signature found in package metadata`);
42
43 const {npm: trustedKeys} = process.env.COREPACK_INTEGRITY_KEYS ?
44 JSON.parse(process.env.COREPACK_INTEGRITY_KEYS) as typeof defaultConfig.keys :
45 defaultConfig.keys;
46
47 let signature: typeof signatures[0] | undefined;
48 let key!: string;
49 for (const k of trustedKeys) {
50 signature = signatures.find(({keyid}) => keyid === k.keyid);
51 if (signature != null) {
52 key = k.key;
53 break;
54 }
55 }
56 if (signature?.sig == null) throw new UsageError(`The package was not signed by any trusted keys: ${JSON.stringify({signatures, trustedKeys}, undefined, 2)}`);
57
58 const verifier = createVerify(`SHA256`);
59 verifier.end(`${packageName}@${version}:${integrity}`);
60 const valid = verifier.verify(
61 `-----BEGIN PUBLIC KEY-----\n${key}\n-----END PUBLIC KEY-----`,
62 signature.sig,
63 `base64`,
64 );
65 if (!valid) {
66 throw new Error(`Signature does not match`);
67 }
68}
69
70export async function fetchLatestStableVersion(packageName: string) {
71 const metadata = await fetchAsJson(packageName, `latest`);

Callers 1

fetchLatestStableVersionFunction · 0.85

Calls

no outgoing calls

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…