-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: retrieve registry keys via TUF #6418
Conversation
Does this mean that (to be clear, adding an additional network request location to npm feels like a breaking change to me; lots of places that run npm will lock down network traffic to known servers) |
no statistically significant performance changes detected timing results
|
@@ -1486,6 +1539,50 @@ t.test('audit signatures', async t => { | |||
t.matchSnapshot(joinedOutput()) | |||
}) | |||
|
|||
t.test('third-party registry with sub-path', async t => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice 👍 would we need to handle a trailing slash on the path? e.g. https://verdaccio-clone.org/npm/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call. Will add a test case to make sure that's handled properly.
@ljharb this is good context, makes sense that you might lock down network traffic around npm. This change should not add any more network requests to Would have been good to surface this at the time, but I'm also not aware of any complaints around the pacote change so this might mean the Good to surface all these constraints before we consider turning some of these checks on by default when running |
People largely don’t run anything that’s not run by default; I’d urge you to consider setting up an npm registry endpoint for this rather than forcing clients to connect independently to sigstore. |
5f209b9
to
cea32f7
Compare
cea32f7
to
0910769
Compare
@feelepxyz I've got a |
0910769
to
1cb620a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work on this!
To reiterate, any CI that’s using something like https://github.com/step-security/harden-runner will immediately fail when npm audit runs (including 400+ of my packages), so this will be a very disruptive breaking change if it’s by default. |
Again, this doesn't run on audit. This is part of |
ahh, thanks, i misunderstood that - I thought this PR was affecting |
1cb620a
to
5828668
Compare
Signed-off-by: Brian DeHamer <[email protected]>
5828668
to
0903137
Compare
The pacote PR that added the tuf cache param parsing landed and is published. |
@wraithgar this is ready to go for the next release |
Updates the
audit signatures
command to retrieve the registry keys from the Sigstore TUF repository. The keys are published as a delegated target under theregistry.npmjs.org
namespace.The published keys.json uses a slightly different format than the
/-/npm/v1/keys
endpoint:For now, we're transforming this to match the existing key file format used on the registry so that we don't have to make any changes in
pacote
. In the future we'll updatepacote
to take advantage of some of the additional metadata available in the newer format.This new scheme will support third-party registries which may also want to publish their keys to the Sigstore TUF repository, but will fallback to the
/-/npm/v1/keys
endpoint for backward compatibility.