({signatures, integrity, packageName, version}: {
signatures: Array<{keyid: string, sig: string}>;
integrity: string;
packageName: string;
version: string;
})
| 33 | } |
| 34 | |
| 35 | export function verifySignature({signatures, integrity, packageName, version}: { |
| 36 | signatures: Array<{keyid: string, sig: string}>; |
| 37 | integrity: string; |
| 38 | packageName: string; |
| 39 | version: string; |
| 40 | }) { |
| 41 | if (!Array.isArray(signatures) || !signatures.length) throw new Error(`No compatible signature found in package metadata`); |
| 42 | |
| 43 | const {npm: trustedKeys} = process.env.COREPACK_INTEGRITY_KEYS ? |
| 44 | JSON.parse(process.env.COREPACK_INTEGRITY_KEYS) as typeof defaultConfig.keys : |
| 45 | defaultConfig.keys; |
| 46 | |
| 47 | let signature: typeof signatures[0] | undefined; |
| 48 | let key!: string; |
| 49 | for (const k of trustedKeys) { |
| 50 | signature = signatures.find(({keyid}) => keyid === k.keyid); |
| 51 | if (signature != null) { |
| 52 | key = k.key; |
| 53 | break; |
| 54 | } |
| 55 | } |
| 56 | if (signature?.sig == null) throw new UsageError(`The package was not signed by any trusted keys: ${JSON.stringify({signatures, trustedKeys}, undefined, 2)}`); |
| 57 | |
| 58 | const verifier = createVerify(`SHA256`); |
| 59 | verifier.end(`${packageName}@${version}:${integrity}`); |
| 60 | const valid = verifier.verify( |
| 61 | `-----BEGIN PUBLIC KEY-----\n${key}\n-----END PUBLIC KEY-----`, |
| 62 | signature.sig, |
| 63 | `base64`, |
| 64 | ); |
| 65 | if (!valid) { |
| 66 | throw new Error(`Signature does not match`); |
| 67 | } |
| 68 | } |
| 69 | |
| 70 | export async function fetchLatestStableVersion(packageName: string) { |
| 71 | const metadata = await fetchAsJson(packageName, `latest`); |
no outgoing calls
no test coverage detected
searching dependent graphs…