Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@sigstore/sign
Advanced tools
@sigstore/sign is an npm package that provides functionalities for signing and verifying software artifacts using Sigstore, a project that aims to improve the security of the software supply chain by enabling the signing of software artifacts in a transparent and verifiable manner.
Signing Artifacts
This feature allows you to sign software artifacts. The code sample demonstrates how to sign an artifact using the `sign` function from the @sigstore/sign package.
const { sign } = require('@sigstore/sign');
async function signArtifact() {
const artifact = 'path/to/artifact';
const signature = await sign(artifact);
console.log('Signature:', signature);
}
signArtifact();
Verifying Signatures
This feature allows you to verify the signatures of software artifacts. The code sample demonstrates how to verify a signature using the `verify` function from the @sigstore/sign package.
const { verify } = require('@sigstore/sign');
async function verifySignature() {
const artifact = 'path/to/artifact';
const signature = 'signature-string';
const isValid = await verify(artifact, signature);
console.log('Is valid:', isValid);
}
verifySignature();
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. It provides functionalities for signing, encrypting, decrypting, and verifying messages and files. Compared to @sigstore/sign, OpenPGP.js offers a broader range of cryptographic operations but does not specifically focus on the software supply chain.
Node-forge is a JavaScript library that provides a wide range of cryptographic functionalities, including signing and verifying data. It is a general-purpose cryptographic library and does not specifically target the software supply chain like @sigstore/sign.
Jsonwebtoken is a library for signing and verifying JSON Web Tokens (JWT). While it focuses on JWTs rather than general software artifacts, it provides similar signing and verification functionalities. It is more specialized in handling tokens for authentication and authorization purposes.
A library for generating Sigstore signatures.
npm install @sigstore/sign
This library provides the building blocks for composing custom Sigstore signing workflows.
The top-level component is the BundleBuilder
which has responsibility for
taking some artifact and returning a Sigstore bundle containing the
signature for that artifact and the various materials necessary to verify that
signature.
interface BundleBuilder {
create: (artifact: Artifact) => Promise<Bundle>;
}
The artifact to be signed is simply an array of bytes and an optional mimetype. The type is necessary when the signature is packaged as a DSSE envelope.
type Artifact = {
data: Buffer;
type?: string;
};
There are two BundleBuilder
implementations provided as part of this package:
DSSEBundleBuilder
- Combines the verification material and
artifact signature into a dsse_envelope
-style Sigstore bundleMessageBundleBuilder
- Combines the verification
material and artifact signature into a message_signature
-style Sigstore
bundle.Every BundleBuilder
must be instantiated with a Signer
implementation. The
Signer
is responsible for taking a Buffer
and returning an Signature
.
interface Signer {
sign: (data: Buffer) => Promise<Signature>;
}
The returned Signature
contains a signature and the public key which can be
used to verify that signature -- the key may either take the form of a x509
certificate or public key.
type Signature = {
signature: Buffer;
key: KeyMaterial;
};
type KeyMaterial =
| {
$case: 'x509Certificate';
certificate: string;
}
| {
$case: 'publicKey';
publicKey: string;
hint?: string;
};
This package provides the FulcioSigner
which implements the Signer
interface and signs the artifact with an
ephemeral keypair. It will also retrieve an OIDC token from the configured
IdentityProvider
and then request a signing certificate from Fulcio which binds
the ephemeral key to the identity embedded in the token. This signing
certificate is returned as part of the Signature
.
The BundleBuilder
may also be configured with zero-or-more Witness
instances. Each Witness
receives the artifact signature and the public key
and returns an VerificationMaterial
which represents some sort of
counter-signature for the artifact's signature.
interface Witness {
testify: (
signature: SignatureBundle,
publicKey: string
) => Promise<VerificationMaterial>;
}
The returned VerificationMaterial
may contain either Rekor transparency log
entries or RFC3161 timestamps.
type VerificationMaterial = {
tlogEntries?: TransparencyLogEntry[];
rfc3161Timestamps?: RFC3161SignedTimestamp[];
};
The entries in the returned VerificationMaterial
are automatically added to
the Sigstore Bundle
by the BundleBuilder
.
The package provides two different Witness
implementations:
RekorWitness
- Adds an entry to the Rekor
transparency log and returns a TransparencyLogEntry
to be included in the
Bundle
TSAWitness
- Requests an RFC3161 timestamp
over the artifact signature and returns an RFC3161SignedTimestamp
to be
included in the Bundle
const {
CIContextProvider,
DSSEBundleBuilder,
FulcioSigner,
RekorWitness,
TSAWitness,
} = require('@sigstore/sign');
// Set-up the signer
const signer = new FulcioSigner({
fulcioBaseURL: 'https://fulcio.sigstore.dev',
identityProvider: new CIContextProvider('sigstore'),
});
// Set-up the witnesses
const rekorWitness = new RekorWitness({
rekorBaseURL: 'https://rekor.sigstore.dev',
});
const tsaWitness = new TSAWitness({
tsaBaseURL: 'https://tsa.github.com',
});
// Instantiate a bundle builder
const bundler = new DSSEBundleBuilder({
signer,
witnesses: [rekorWitness, tsaWitness],
});
// Sign a thing
const artifact = {
type: 'text/plain',
data: Buffer.from('something to be signed'),
};
const bundle = await bundler.create(artifact);
FAQs
Sigstore signing library
The npm package @sigstore/sign receives a total of 4,828,825 weekly downloads. As such, @sigstore/sign popularity was classified as popular.
We found that @sigstore/sign demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.