-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rfc: Signed Packuments #76
base: main
Are you sure you want to change the base?
Conversation
We can just look for the header if the registry supports it, otherwise gracefully fall back to a separate request for the file based signature
I deeply appreciate this approach. I also think that it’s worth noting that this doesn’t prevent ecosystem tooling to enhance this feature from being built, but rather provides a solid and shared foundation for such tooling to be built, providing a cohesive experience to end-users no matter what innovations the ecosystem makes on top of it. |
|
||
Notary is a project that allows anyone to have trust over arbitrary collections of data. This would allow us to validate the data uploaded to the npm registry against the _author's_ public keys. However, I believe, today packuments are generated by the registry meaning all packuments are generated by the same author. | ||
|
||
Notary may be an effective tool moving forward for validating that packages originated from a trusted/authorized author, irrespective of what registry a package was initially uploaded to, but that isn't the problem we are trying to solve here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To make sure this isn't forgotten, from the RFC meeting:
The major downside of this third party approach is that the install has already happened, compromising your machine. In this light it really needs to be a part of the install happening before the postinstall scripts.
Sorry for missing today's RFC Summary from today's meeting relevant to this PR:
Agree w/ this, could we get a bit more focused definition of our angst? Is it the amount of time it would take to validate the payload against the signature? I'd be happy to put together a benchmark.
Also agree here. I'd be happy for this to just land in the CLI without official registry support. But understand that the registry probably wants to support all the cli features 😉
In the sense that it means something you expected to be true about the payload was not true, yup!
There is only one request for the common case. The second download is only needed if the server doesn't respond with the header. This is here to provide backwards compatibility w/ projects like
Not super opinionated about what is signed as long as the signature is retroactively applied to 100% of the current registry's contents. The threat model we are trying to address is allowing the mirroring of existing packages in the global namespace without needing to have full trust in that mirror. An example case would be a community maintained mirror for a conference. Developers on conference wifi can set their registry to We have this same problem for a mirroring project I've been hacking away on. We solved for mirror discovery but we don't have a way to solve for trust without requiring a userland component. So now we have a way for users to discover 3rd party mirrors but there is no way to trust that those mirrors aren't tampering with data. Today this prevents us from mirroring packuments. All requests for packuments are proxied and fulfilled by npm instead of mirrors. To return to the question above, this doesn't necessarily need to be implemented by the official registry. We have use cases in userland that could start using this today 😄 |
My suggestion in the RFC meeting was two-fold:
|
Hey @isaacs ❤️ thank you for engaging!
Are we talking about If so, a couple of questions:
This does make sense to me!
Do these features have to be coupled? Solving for end-user key management seems like a much larger scoped problem than fetching registry keys declared in an |
Yes.
Without some clear way to solve how we're going to fetch and use publisher keys, in a way that's simple and performant enough to turn on by default, and create signatures in a way that's easy enough to be opt-out rather than opt-in, there's not much value in pursuing user/publisher signing. Let's solve this one easy case first, and then move on from there. |
Ah that is awesome! I fundamentally misunderstood what those signatures were. This seems reasonable. If you can trust the tarball hasn't been tampered with, modifying a packument gives you much less wiggle room for doing nefarious stuff. I'm 👍 on starting with tarball signatures! Thank you for your patience and talking me through this! |
Sure thing, @retrohacker, happy to help. It's kinda my job, after all :) So, the steps here (which maybe should be a new RFC to replace this one?) would be:
|
Also: if we're going to make the npm cli start slamming keybase.io, we probably ought to sync up with them to make sure we don't take them down. We could also look into some other approach, like using https://api.github.com/users/isaacs/gpg_keys along with https://keybase.io/isaacs/pgp_keys.asc. If we have multiple possible places to decide where to get keys from, then there has to be some discovery mechanism, and then that opens the door for the attack vector "pwned my account, and then changed the pubkey pointer to some other place", so we'll have to think through that aspect carefully as well. |
Content in diff