@sigstore/sign
Advanced tools
@sigstore/sign is an npm package that provides functionalities for signing and verifying software artifacts using Sigstore, a project that aims to improve the security of the software supply chain by enabling the signing of software artifacts in a transparent and verifiable manner.
Signing Artifacts
This feature allows you to sign software artifacts. The code sample demonstrates how to sign an artifact using the `sign` function from the @sigstore/sign package.
const { sign } = require('@sigstore/sign');
async function signArtifact() {
const artifact = 'path/to/artifact';
const signature = await sign(artifact);
console.log('Signature:', signature);
}
signArtifact();Verifying Signatures
This feature allows you to verify the signatures of software artifacts. The code sample demonstrates how to verify a signature using the `verify` function from the @sigstore/sign package.
const { verify } = require('@sigstore/sign');
async function verifySignature() {
const artifact = 'path/to/artifact';
const signature = 'signature-string';
const isValid = await verify(artifact, signature);
console.log('Is valid:', isValid);
}
verifySignature();OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. It provides functionalities for signing, encrypting, decrypting, and verifying messages and files. Compared to @sigstore/sign, OpenPGP.js offers a broader range of cryptographic operations but does not specifically focus on the software supply chain.
Node-forge is a JavaScript library that provides a wide range of cryptographic functionalities, including signing and verifying data. It is a general-purpose cryptographic library and does not specifically target the software supply chain like @sigstore/sign.
Jsonwebtoken is a library for signing and verifying JSON Web Tokens (JWT). While it focuses on JWTs rather than general software artifacts, it provides similar signing and verification functionalities. It is more specialized in handling tokens for authentication and authorization purposes.
A library for generating Sigstore signatures.
npm install @sigstore/sign
This library provides the building blocks for composing custom Sigstore signing workflows.
The top-level component is the BundleBuilder which has responsibility for
taking some artifact and returning a Sigstore bundle containing the
signature for that artifact and the various materials necessary to verify that
signature.
interface BundleBuilder {
create: (artifact: Artifact) => Promise<Bundle>;
}
The artifact to be signed is simply an array of bytes and an optional mimetype. The type is necessary when the signature is packaged as a DSSE envelope.
type Artifact = {
data: Buffer;
type?: string;
};
There are two BundleBuilder implementations provided as part of this package:
DSSEBundleBuilder - Combines the verification material and
artifact signature into a dsse_envelope -style Sigstore bundleMessageBundleBuilder - Combines the verification
material and artifact signature into a message_signature-style Sigstore
bundle.Every BundleBuilder must be instantiated with a Signer implementation. The
Signer is responsible for taking a Buffer and returning an Signature.
interface Signer {
sign: (data: Buffer) => Promise<Signature>;
}
The returned Signature contains a signature and the public key which can be
used to verify that signature -- the key may either take the form of a x509
certificate or public key.
type Signature = {
signature: Buffer;
key: KeyMaterial;
};
type KeyMaterial =
| {
$case: 'x509Certificate';
certificate: string;
}
| {
$case: 'publicKey';
publicKey: string;
hint?: string;
};
This package provides the FulcioSigner
which implements the Signer interface and signs the artifact with an
ephemeral keypair. It will also retrieve an OIDC token from the configured
IdentityProvider and then request a signing certificate from Fulcio which binds
the ephemeral key to the identity embedded in the token. This signing
certificate is returned as part of the Signature.
The BundleBuilder may also be configured with zero-or-more Witness
instances. Each Witness receives the artifact signature and the public key
and returns an VerificationMaterial which represents some sort of
counter-signature for the artifact's signature.
interface Witness {
testify: (
signature: SignatureBundle,
publicKey: string
) => Promise<VerificationMaterial>;
}
The returned VerificationMaterial may contain either Rekor transparency log
entries or RFC3161 timestamps.
type VerificationMaterial = {
tlogEntries?: TransparencyLogEntry[];
rfc3161Timestamps?: RFC3161SignedTimestamp[];
};
The entries in the returned VerificationMaterial are automatically added to
the Sigstore Bundle by the BundleBuilder.
The package provides two different Witness implementations:
RekorWitness - Adds an entry to the Rekor
transparency log and returns a TransparencyLogEntry to be included in the
BundleTSAWitness - Requests an RFC3161 timestamp
over the artifact signature and returns an RFC3161SignedTimestamp to be
included in the Bundleconst {
CIContextProvider,
DSSEBundleBuilder,
FulcioSigner,
RekorWitness,
TSAWitness,
} = require('@sigstore/sign');
// Set-up the signer
const signer = new FulcioSigner({
fulcioBaseURL: 'https://fulcio.sigstore.dev',
identityProvider: new CIContextProvider('sigstore'),
});
// Set-up the witnesses
const rekorWitness = new RekorWitness({
rekorBaseURL: 'https://rekor.sigstore.dev',
});
const tsaWitness = new TSAWitness({
tsaBaseURL: 'https://tsa.github.com',
});
// Instantiate a bundle builder
const bundler = new DSSEBundleBuilder({
signer,
witnesses: [rekorWitness, tsaWitness],
});
// Sign a thing
const artifact = {
type: 'text/plain',
data: Buffer.from('something to be signed'),
};
const bundle = await bundler.create(artifact);
FAQs
Sigstore signing library
The npm package @sigstore/sign receives a total of 3,632,136 weekly downloads. As such, @sigstore/sign popularity was classified as popular.
We found that @sigstore/sign demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.