Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

@sigstore/bundle

Package Overview
Dependencies
Maintainers
2
Versions
10
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@sigstore/bundle

Sigstore bundle type

  • 3.0.0
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
4.7M
decreased by-7.57%
Maintainers
2
Weekly downloads
 
Created

What is @sigstore/bundle?

The @sigstore/bundle npm package is designed for working with Sigstore, a project aimed at improving the security of the software supply chain by enabling the easy adoption of cryptographic software signing. With this package, developers can create, verify, and work with signatures and signed software bundles, enhancing the security and integrity of software distribution.

What are @sigstore/bundle's main functionalities?

Creating a signature bundle

This feature allows developers to create a signature bundle for a given artifact (e.g., a software package or binary). The bundle includes the artifact's signature, the public key used for signing, and optionally, a certificate for the public key. This enhances the artifact's integrity and authenticity.

const { createBundle } = require('@sigstore/bundle');

async function signArtifact(artifactPath) {
  const bundle = await createBundle({
    artifactPath,
    privateKeyPath: './path/to/private/key',
    certificatePath: './path/to/certificate'
  });
  console.log('Bundle created:', bundle);
}

Verifying a signature bundle

This functionality enables the verification of a signature bundle to ensure the integrity and authenticity of the signed artifact. It checks the artifact's signature against the provided public key and, if a certificate is included, validates the certificate as well.

const { verifyBundle } = require('@sigstore/bundle');

async function verifyArtifact(bundlePath) {
  const verificationResult = await verifyBundle({
    bundlePath,
    publicKeyPath: './path/to/public/key'
  });
  console.log('Verification result:', verificationResult);
}

Other packages similar to @sigstore/bundle

FAQs

Package last updated on 14 Oct 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc