@sigstore/bundle
Advanced tools
The @sigstore/bundle npm package is designed for working with Sigstore, a project aimed at improving the security of the software supply chain by enabling the easy adoption of cryptographic software signing. With this package, developers can create, verify, and work with signatures and signed software bundles, enhancing the security and integrity of software distribution.
Creating a signature bundle
This feature allows developers to create a signature bundle for a given artifact (e.g., a software package or binary). The bundle includes the artifact's signature, the public key used for signing, and optionally, a certificate for the public key. This enhances the artifact's integrity and authenticity.
const { createBundle } = require('@sigstore/bundle');
async function signArtifact(artifactPath) {
const bundle = await createBundle({
artifactPath,
privateKeyPath: './path/to/private/key',
certificatePath: './path/to/certificate'
});
console.log('Bundle created:', bundle);
}Verifying a signature bundle
This functionality enables the verification of a signature bundle to ensure the integrity and authenticity of the signed artifact. It checks the artifact's signature against the provided public key and, if a certificate is included, validates the certificate as well.
const { verifyBundle } = require('@sigstore/bundle');
async function verifyArtifact(bundlePath) {
const verificationResult = await verifyBundle({
bundlePath,
publicKeyPath: './path/to/public/key'
});
console.log('Verification result:', verificationResult);
}OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. It provides a wide range of cryptographic operations, including signing and verifying data, which is similar to what @sigstore/bundle offers. However, OpenPGP.js is more general-purpose and not specifically tailored for software supply chain security.
jsrsasign is a comprehensive npm package for JavaScript cryptographic operations, supporting signature generation and verification among many other features. While it shares some functionality with @sigstore/bundle, jsrsasign does not focus on the creation and verification of signature bundles for software artifacts specifically.
A JavaScript library for working with the Sigstore bundle format.
npm install @sigstore/bundle
FAQs
Sigstore bundle type
The npm package @sigstore/bundle receives a total of 0 weekly downloads. As such, @sigstore/bundle popularity was classified as not popular.
We found that @sigstore/bundle demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
require(esm) backported to Node.js 20, easing the transition to ESM-only packages and reducing complexity for developers as Node 18 nears end-of-life.
Security News
PyPI now supports iOS and Android wheels, making it easier for Python developers to distribute mobile packages.
Security News
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.