I'll be publishing an npm package on behalf of my org, say A. I'd like to give the clients a way to validate that the package they're using is actually published by A. One way of achieving this is by calculating a checksum for our sources, and publishing it somewhere on A's website. Anyone who wants to validate can do so easily. Having worked in Maven projects earlier(where checksums are generated while publishing), I was expecting that the checksum will be automatically puted in npm. However, that is not the case. Is there some way of achieving this? What's the preferred way of verifying the integrity of a package in npm?
PS : I've looked at this thread , which talks about something similar.
I'll be publishing an npm package on behalf of my org, say A. I'd like to give the clients a way to validate that the package they're using is actually published by A. One way of achieving this is by calculating a checksum for our sources, and publishing it somewhere on A's website. Anyone who wants to validate can do so easily. Having worked in Maven projects earlier(where checksums are generated while publishing), I was expecting that the checksum will be automatically puted in npm. However, that is not the case. Is there some way of achieving this? What's the preferred way of verifying the integrity of a package in npm?
PS : I've looked at this thread https://github./npm/npm/issues/6886, which talks about something similar.
Share asked Aug 27, 2019 at 4:21 lazyloaderlazyloader 1772 silver badges11 bronze badges1 Answer
Reset to default 4Honestly - no. NPM is the distribution service, and you'd need to trust it to deliver an integrity check. If you trust it, and you have your https root certificates setup correctly (aka no mitm), then you can trust the files it delivers.
If your threat model is NPM is promised, or your connection to NPM is, then you need to choose an out of band mechanism that removes NPM from the equation.
If your data's already on github, then there is already an integrity hash on the source. If someone is worried about this, they can pull the mit ID which is a sha hash of your source code from github. Even if github is promised, it's difficult for someone to mess with the files and get an identical hash with new code. So pointing people at github and a sha is a solution. npm install --save username/repo#mit-id
And finally, your idea of the hash on your website works. Assume the user npm installs your package. Then provide the mand to run to check the signature. But now you need to share how you calculated the hash in a way they can repeat. See here for how to actually pute the md5: https://unix.stackexchange./questions/35832/how-do-i-get-the-md5-sum-of-a-directorys-contents-as-one-sum
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745060765a4608950.html
评论列表(0条)