@sigstore/bundle
Advanced tools
The @sigstore/bundle npm package is designed for working with Sigstore, a project aimed at improving the security of the software supply chain by enabling the easy adoption of cryptographic software signing. With this package, developers can create, verify, and work with signatures and signed software bundles, enhancing the security and integrity of software distribution.
Creating a signature bundle
This feature allows developers to create a signature bundle for a given artifact (e.g., a software package or binary). The bundle includes the artifact's signature, the public key used for signing, and optionally, a certificate for the public key. This enhances the artifact's integrity and authenticity.
const { createBundle } = require('@sigstore/bundle');
async function signArtifact(artifactPath) {
const bundle = await createBundle({
artifactPath,
privateKeyPath: './path/to/private/key',
certificatePath: './path/to/certificate'
});
console.log('Bundle created:', bundle);
}Verifying a signature bundle
This functionality enables the verification of a signature bundle to ensure the integrity and authenticity of the signed artifact. It checks the artifact's signature against the provided public key and, if a certificate is included, validates the certificate as well.
const { verifyBundle } = require('@sigstore/bundle');
async function verifyArtifact(bundlePath) {
const verificationResult = await verifyBundle({
bundlePath,
publicKeyPath: './path/to/public/key'
});
console.log('Verification result:', verificationResult);
}OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. It provides a wide range of cryptographic operations, including signing and verifying data, which is similar to what @sigstore/bundle offers. However, OpenPGP.js is more general-purpose and not specifically tailored for software supply chain security.
jsrsasign is a comprehensive npm package for JavaScript cryptographic operations, supporting signature generation and verification among many other features. While it shares some functionality with @sigstore/bundle, jsrsasign does not focus on the creation and verification of signature bundles for software artifacts specifically.
A JavaScript library for working with the Sigstore bundle format.
npm install @sigstore/bundle
FAQs
Sigstore bundle type
We found that @sigstore/bundle demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.