Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The sigstore npm package provides tools for signing, verifying, and managing software supply chain security. It is designed to help developers ensure the integrity and authenticity of their software artifacts.
Signing Artifacts
This feature allows you to sign software artifacts, ensuring their integrity and authenticity. The code sample demonstrates how to sign an artifact using the sigstore package.
const sigstore = require('sigstore');
async function signArtifact() {
const artifact = 'path/to/artifact';
const signature = await sigstore.sign(artifact);
console.log('Signature:', signature);
}
signArtifact();
Verifying Signatures
This feature allows you to verify the signatures of software artifacts. The code sample demonstrates how to verify an artifact's signature using the sigstore package.
const sigstore = require('sigstore');
async function verifySignature() {
const artifact = 'path/to/artifact';
const signature = 'signature-of-artifact';
const isValid = await sigstore.verify(artifact, signature);
console.log('Is valid:', isValid);
}
verifySignature();
Managing Keys
This feature allows you to generate and manage cryptographic keys. The code sample demonstrates how to generate a key pair using the sigstore package.
const sigstore = require('sigstore');
async function manageKeys() {
const keyPair = await sigstore.generateKeyPair();
console.log('Public Key:', keyPair.publicKey);
console.log('Private Key:', keyPair.privateKey);
}
manageKeys();
The openpgp package provides tools for OpenPGP encryption and signing. It offers similar functionalities to sigstore, such as signing and verifying artifacts, but it is based on the OpenPGP standard.
The node-jose package is a JavaScript Object Signing and Encryption (JOSE) library. It provides tools for signing, verifying, and encrypting data, similar to sigstore, but it focuses on the JOSE standards.
The jsonwebtoken package is used for signing and verifying JSON Web Tokens (JWT). While it is primarily focused on JWTs, it offers similar signing and verification functionalities as sigstore.
A JavaScript library for generating and verifying Sigstore signatures. One of the intended uses is to sign and verify npm packages but it can be used to sign and verify any file.
npm install sigstore
The following table documents which combinations of Sigstore bundle versions
and Rekor types can be verified by different versions of the sigstore
library. It also lists which sigstore
versions were shipped with different
npm
CLI versions.
sigstore | 1.0 | 1.1 | 1.2 | 1.3 | 1.4 | 1.5 | 1.6 | 1.7 | 1.8 | |
---|---|---|---|---|---|---|---|---|---|---|
npm | 9.5.0 | 9.6.2 | 9.6.3 | 9.6.5 | 9.6.6 | 9.6.7 | 9.7.2 | 9.8.0 | ||
Bundle Version | Rekor Type | |||||||||
0.1 | hashedrekord | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
intoto | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | |
dsse | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | |
0.2 | hashedrekord | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
intoto | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | |
dsse | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
const { attest, verify } = require('sigstore');
import { attest, verify } from 'sigstore';
Generates a Sigstore signature for the supplied payload. Returns a Sigstore bundle containing the signature and the verification material necessary to verify the signature.
payload
<Buffer>
: The bytes of the artifact to be signed.options
<Object>
fulcioURL
<string>
: The base URL of the Fulcio instance to use for retrieving the signing certificate. Defaults to 'https://fulcio.sigstore.dev'
.rekorURL
<string>
: The base URL of the Rekor instance to use when adding the signature to the transparency log. Defaults to 'https://rekor.sigstore.dev'
.tsaServerURL
<string>
: The base URL of the Timestamp Authority instance to use when requesting a signed timestamp. If omitted, no timestamp will be requested.tlogUpload
<boolean>
: Flag indicating whether or not the signature should be recorded on the Rekor transparency log. Defaults to true
.identityToken
<string>
: The OIDC token identifying the signer. If no explicit token is supplied, an attempt will be made to retrieve one from the environment. This config cannot be used with identityProvider
.identityProvider
<IdentityProvider>
: Object which implements getToken: () => Promise<string>
. The supplied provider will be used to retrieve an OIDC token. If no provider is supplied, an attempt will be made to retrieve an OIDC token from the environment. This config cannot be used with identityToken
.legacyCompatibility
<boolean>
: Flag indicating whether to enable legacy compatibility mode. When set to true
, the returned bundle will use the Sigstore v0.2 bundle format. When unset or false
, the returned bundle will be v0.3 or greater.Generates a Sigstore signature for the supplied in-toto statement. Returns a Sigstore bundle containing the DSSE-wrapped statement and signature as well as the verification material necessary to verify the signature.
payload
<Buffer>
: The bytes of the statement to be signed.payloadType
<string>
: MIME or content type describing the statement to be signed.options
<Object>
fulcioURL
<string>
: The base URL of the Fulcio instance to use for retrieving the signing certificate. Defaults to 'https://fulcio.sigstore.dev'
.rekorURL
<string>
: The base URL of the Rekor instance to use when adding the signature to the transparency log. Defaults to 'https://rekor.sigstore.dev'
.tsaServerURL
<string>
: The base URL of the Timestamp Authority instance to use when requesting a signed timestamp. If omitted, no timestamp will be requested.tlogUpload
<boolean>
: Flag indicating whether or not the signed statement should be recorded on the Rekor transparency log. Defaults to true
.identityToken
<string>
: The OIDC token identifying the signer. If no explicit token is supplied, an attempt will be made to retrieve one from the environment. This config cannot be used with identityProvider
.identityProvider
<IdentityProvider>
: Object which implements getToken: () => Promise<string>
. The supplied provider will be used to retrieve an OIDC token. If no provider is supplied, an attempt will be made to retrieve an OIDC token from the environment. This config cannot be used with identityToken
.legacyCompatibility
<boolean>
: Flag indicating whether to enable legacy compatibility mode. When set to true
, any record written to the Rekor transparency log will use the "intoto" record type and the returned bundle will use the Sigstore v0.2 bundle format. When unset or false
, the "dsse" Rekor type will be used and the returned bundle will be v0.3 or greater.Verifies the signature in the supplied bundle.
bundle
<Bundle>
: The Sigstore bundle containing the signature to be verified and the verification material necessary to verify the signature.payload
<Buffer>
: The bytes of the artifact over which the signature was created. Only necessary when the sign
function was used to generate the signature since the Bundle does not contain any information about the artifact which was signed. Not required when the attest
function was used to generate the Bundle.options
<Object>
ctLogThreshold
<number>
: The number of certificate transparency logs on which the signing certificate must appear. Defaults to 1
.tlogThreshold
<number>
: The number of transparency logs on which the signature must appear. Defaults to 1
.certificateIssuer
<string>
: Value that must appear in the signing certificate's issuer extension (OID 1.3.6.1.4.1.57264.1.1). Not verified if no value is supplied.certificateIdentityEmail
<string>
: Email address which must appear in the signing certificate's Subject Alternative Name (SAN) extension. Must be specified in conjunction with the certificateIssuer
option. Takes precedence over the certificateIdentityURI
option. Not verified if no value is supplied.certificateIdentityURI
<string>
: URI which must appear in the signing certificate's Subject Alternative Name (SAN) extension. Must be specified in conjunction with the certificateIssuer
option. Ignored if the certificateIdentityEmail
option is set. Not verified if no value is supplied.certificateOIDs
<Object>
: A collection of OID/value pairs which must be present in the certificate's extension list. Not verified if no value is supplied.keySelector
<Function>
: Callback invoked to retrieve the public key (as either string
or Buffer
) necessary to verify the bundle signature. Not used when the signature was generated from a Fulcio-issued signing certificate.
hint
<String>
: The hint from the bundle used to identify the the signing key.If sigstore-js detects that it is being executed on GitHub Actions, it will use ACTIONS_ID_TOKEN_REQUEST_URL
and ACTIONS_ID_TOKEN_REQUEST_TOKEN
environment variables to request an OIDC token with the correct scope.
Note: the id_token: write
permission must be granted to the GitHub Action Job.
See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for more details.
If the SIGSTORE_ID_TOKEN
environment variable is set, it will use this to authenticate to Fulcio.
It is the callers responsibility to make sure that this token has the correct scopes.
FAQs
code-signing for npm packages
We found that sigstore demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.