@sigstore/bundle
Advanced tools
Package description
The @sigstore/bundle npm package is designed for working with Sigstore, a project aimed at improving the security of the software supply chain by enabling the easy adoption of cryptographic software signing. With this package, developers can create, verify, and work with signatures and signed software bundles, enhancing the security and integrity of software distribution.
Creating a signature bundle
This feature allows developers to create a signature bundle for a given artifact (e.g., a software package or binary). The bundle includes the artifact's signature, the public key used for signing, and optionally, a certificate for the public key. This enhances the artifact's integrity and authenticity.
const { createBundle } = require('@sigstore/bundle');
async function signArtifact(artifactPath) {
const bundle = await createBundle({
artifactPath,
privateKeyPath: './path/to/private/key',
certificatePath: './path/to/certificate'
});
console.log('Bundle created:', bundle);
}Verifying a signature bundle
This functionality enables the verification of a signature bundle to ensure the integrity and authenticity of the signed artifact. It checks the artifact's signature against the provided public key and, if a certificate is included, validates the certificate as well.
const { verifyBundle } = require('@sigstore/bundle');
async function verifyArtifact(bundlePath) {
const verificationResult = await verifyBundle({
bundlePath,
publicKeyPath: './path/to/public/key'
});
console.log('Verification result:', verificationResult);
}OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. It provides a wide range of cryptographic operations, including signing and verifying data, which is similar to what @sigstore/bundle offers. However, OpenPGP.js is more general-purpose and not specifically tailored for software supply chain security.
jsrsasign is a comprehensive npm package for JavaScript cryptographic operations, supporting signature generation and verification among many other features. While it shares some functionality with @sigstore/bundle, jsrsasign does not focus on the creation and verification of signature bundles for software artifacts specifically.
Readme
A JavaScript library for working with the Sigstore bundle format.
npm install @sigstore/bundle
FAQs
Sigstore bundle type
We found that @sigstore/bundle demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Application Security
New SEC disclosure rules aim to enforce timely cyber incident reporting, but fear of job loss and inadequate resources lead to significant underreporting.
Security News
The Python Software Foundation has secured a 5-year sponsorship from Fastly that supports PSF's activities and events, most notably the security and reliability of the Python Package Index (PyPI).
Security News
LDAPjs, an LDAP Client and Server API for Node.js, was decommissioned after its maintainer received an abusive email from a user, raising concerns about this form of abuse as a potential attack vector.