Verifying the PGP signature of a package from the npm public registry

为了确保从npm公共注册表下载的软件包版本的完整性,您可以手动验证软件包的PGP签名 .

注意:由于要在Keybase上完全验证签名需要重新检查证明(这需要网络活动),因此很昂贵,因此我们建议仅在绝对必要时才验证签名-例如,在验证部署工件或最初将软件包存储在其中时您的缓存.

Prerequisites

  1. 从https://keybase.io/download安装Keybase
  2. 在https://keybase.io上创建一个Keybase帐户
  3. 在Keybase上遵循" npmregistry ".
  4. 下载npm公共注册表的公共PGP密钥的本地副本.

Verifying npm signatures for the public registry

注意:以下步骤以light-cycle软件包的1.4.3版为例.
  1. 在命令行上,获取所需软件包版本的签名并将其保存在文件中:
      $ http GET https://registry.npmjs.org/light-cycle | json "versions['1.4.3'].dist.npm-signature" > sig-to-check 
  2. 获取该版本的完整性字段(以下示例包括响应):
      $ http GET https://registry.npmjs.org/light-cycle | json "versions['1.4.3'].dist.integrity" 

    响应示例:

      sha512-sFcuivsDZ99fY0TbvuRC6CDXB8r/ylafjJAMnbSF0y4EMM1/1DtQo40G2WKz1rBbyiz4SLAc3Wa6yZyC4XSGOQ== 
  3. 构造将唯一的程序包名称和版本与完整性字符串相关联的字符串(以下示例包括响应):
      $ keybase pgp verify --signed-by npmregistry -d sig-to-check -m ' [email protected] :sha512-sFcuivsDZ99fY0TbvuRC6CDXB8r/ylafjJAMnbSF0y4EMM1/1DtQo40G2WKz1rBbyiz4SLAc3Wa6yZyC4XSGOQ==' 

    响应示例:

      ▶ INFO Identifying npmregistry ✔ <tracked> public key fingerprint: 0963 1802 8A2B 58C8 4929 D8E1 3D4D 5B12 0276 566A You last followed npmregistry on 2018-04-10 21:21:57 PDT ✔ <tracked> admin of DNS zone npmjs.com: found TXT entry keybase-site-verification=iK3pjpRBkv-CIJ4PHtWL4TTcFXMpPiwPynatKl3oWO4 ✔ <tracked> "npmjs" on twitter: https://twitter.com/npmjs/status/981288548845240320 [cached 2018-04-12 13:18:31 PDT; but got a retryable error (API network error: Get https://twitter.com/npmjs/status/981288548845240320: net/http: request canceled (Client.Timeout exceeded while awaiting headers) (code=170)) this time around] ✔ <tracked> admin of DNS zone npmjs.org: found TXT entry keybase-site-verification=Ls8jN55i6KesjiX91Ck79bUZ17eA-iohmw2jJFM16xc Signature verified. Signed by npmregistry 7 minutes ago (2018-04-13 15:00:37 -0700 PDT). PGP Fingerprint: 096318028a2b58c84929d8e13d4d5b120276566a. 

< About package PGP signatures | Requiring 2FA for package publishing and settings modification >

by  ICOPY.SITE