Reputation: 157
Is there a way to assure the integrity of a published npm packages, using hashes/checksums?
I'll be publishing an npm package on behalf of my org, say A. I'd like to give the clients a way to validate that the package they're using is actually published by A. One way of achieving this is by calculating a checksum for our sources, and publishing it somewhere on A's website. Anyone who wants to validate can do so easily. Having worked in Maven projects earlier(where checksums are generated while publishing), I was expecting that the checksum will be automatically computed in npm. However, that is not the case. Is there some way of achieving this? What's the preferred way of verifying the integrity of a package in npm?
PS : I've looked at this thread https://github.com/npm/npm/issues/6886, which talks about something similar.
Upvotes: 2
Views: 7772
Answers (1)
Reputation: 5864
Honestly - no. NPM is the distribution service, and you'd need to trust it to deliver an integrity check. If you trust it, and you have your https root certificates setup correctly (aka no mitm), then you can trust the files it delivers.
If your threat model is NPM is compromised, or your connection to NPM is, then you need to choose an out of band mechanism that removes NPM from the equation.
If your data's already on github, then there is already an integrity hash on the source. If someone is worried about this, they can pull the commit ID which is a sha hash of your source code from github. Even if github is compromised, it's difficult for someone to mess with the files and get an identical hash with new code. So pointing people at github and a sha is a solution. npm install --save username/repo#commit-id
And finally, your idea of the hash on your website works. Assume the user npm installs your package. Then provide the command to run to check the signature. But now you need to share how you calculated the hash in a way they can repeat. See here for how to actually compute the md5: https://unix.stackexchange.com/questions/35832/how-do-i-get-the-md5-sum-of-a-directorys-contents-as-one-sum
Upvotes: 4
Related Questions
- How can we trust npm modules?
- NodeJS & NPM: Package Security
- Integrity Checking for NPM Packages
- Verify if an NPM package is official
- How does npm verify packages and how to verify npm/node installation packages between machines?
- use npm package to validate a package name
- Is there a tool to validate/check that package.json and package-lock.json are consistent?
- Does the public NPM registry validate the checksums of uploaded tarballs?
- shasum for npm releases?
- Package manager NPM and node.js Integrity