Reputation: 1619
Integrity Checking for NPM Packages
I'm being tasked to validate the integrity of my downloads from npm by our IT/Security department. I'm a programmer and while I understand at a top level what performing a sha checksum is, I'm having trouble figuring out how to do that on my NPM packages.
I successfully performed a check on a single file download from the browser for something other than npm. NPM installs come with an "integrity" value in the "package-lock.json", but I am unsure how to use that value. For example when trying to perform this check on the D3 library which has the "integrity" value of "sha512-4PL5hHaHwX4m7Zr1UapXW23apo6pexCgdetdJ5kTmADpG/7T9Gkxw0M0tf/pjoB63ezCCm0u5UaFYy2aMt0Mcw==" I have been unable to recreate that value. I tried to create a tarball of the package folder using 7zip, and I even tried directly downloading the ".tgz" file from the "resolved" value "https://registry.npmjs.org/d3/-/d3-5.16.0.tgz" which still does not yield the right checksum.
I have used both of the following commands which both give me the same result. (e0f2f9847687c17e26ed9af551aa575b6ddaa68ea97b10a075eb5d2799139800e91bfed3f46931c34334b5ffe98e807addecc20a6d2ee54685632d9a32dd0c73)
Get-FileHash -Path C:\Path\to\d3-5.16.0.tgz -Algorithm SHA512
certutil -hashfile C:\Path\to\d3-5.16.0.tgz sha512
If anyone can walk me through what I'm doing wrong or missing it would be very appreciated.
Upvotes: 3
Views: 2275
Answers (1)
Reputation: 93
You just missed out one step, you need to convert the result (HEX) to base64 instead.
The result you generated is in Hexadecimal (by default), unless you explicitly mention to use base64 encoding while creating the hash.
Summary:
- Have your file hashed with algorithm of your choice (eg: SHA-256)
- By default, it will create a hash of Hexadecimal. You need to convert it into Base64-encoded hash.
Option 1: You can generate SRI hashes from the command-line with openssl using a command invocation
cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A
Option 2: Or with shasum
shasum -b -a 384 FILENAME.js | awk '{ print $1 }' | xxd -r -p | base64
Option 3: Use online tools.
- Firstly, upload and hash your file with any online tool (I was using this) and it should create a Hexadecimal hash output.
- Then, convert your Hexadecimal hash output into Base64-encoded value. (I
was using this)
References:
Upvotes: 2
Related Questions
- Verify if an NPM package is official
- How does npm verify packages and how to verify npm/node installation packages between machines?
- use npm package to validate a package name
- Does the public NPM registry validate the checksums of uploaded tarballs?
- Is there a way to assure the integrity of a published npm packages, using hashes/checksums?
- Checksum verification fails when installing npm package weexpack
- How to know if a package from Node Package Management (NPM) is tested
- npm install express give me checksum error
- shasum for npm releases?
- Package manager NPM and node.js Integrity