@sigstore/bundle
Advanced tools
The @sigstore/bundle npm package is designed for working with Sigstore, a project aimed at improving the security of the software supply chain by enabling the easy adoption of cryptographic software signing. With this package, developers can create, verify, and work with signatures and signed software bundles, enhancing the security and integrity of software distribution.
Creating a signature bundle
This feature allows developers to create a signature bundle for a given artifact (e.g., a software package or binary). The bundle includes the artifact's signature, the public key used for signing, and optionally, a certificate for the public key. This enhances the artifact's integrity and authenticity.
const { createBundle } = require('@sigstore/bundle');
async function signArtifact(artifactPath) {
const bundle = await createBundle({
artifactPath,
privateKeyPath: './path/to/private/key',
certificatePath: './path/to/certificate'
});
console.log('Bundle created:', bundle);
}Verifying a signature bundle
This functionality enables the verification of a signature bundle to ensure the integrity and authenticity of the signed artifact. It checks the artifact's signature against the provided public key and, if a certificate is included, validates the certificate as well.
const { verifyBundle } = require('@sigstore/bundle');
async function verifyArtifact(bundlePath) {
const verificationResult = await verifyBundle({
bundlePath,
publicKeyPath: './path/to/public/key'
});
console.log('Verification result:', verificationResult);
}OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. It provides a wide range of cryptographic operations, including signing and verifying data, which is similar to what @sigstore/bundle offers. However, OpenPGP.js is more general-purpose and not specifically tailored for software supply chain security.
jsrsasign is a comprehensive npm package for JavaScript cryptographic operations, supporting signature generation and verification among many other features. While it shares some functionality with @sigstore/bundle, jsrsasign does not focus on the creation and verification of signature bundles for software artifacts specifically.
A JavaScript library for working with the Sigstore bundle format.
npm install @sigstore/bundle
FAQs
Sigstore bundle type
The npm package @sigstore/bundle receives a total of 4,558,808 weekly downloads. As such, @sigstore/bundle popularity was classified as popular.
We found that @sigstore/bundle demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.