BT

Redpoint Games Launch NPM Package Signing Tool

| by Andrew Morgan Follow 0 Followers on Jan 11, 2018. Estimated reading time: 2 minutes |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

Redpoint has launched pkgsign, a package signing and verification tool for NPM. It aims to improve security by helping ensure the authenticity of packages which are uploaded and downloaded from the NPM registry.

When working with NPM, one potential security issue is that the author of a package cannot be verified. This means that a malicious package could be uploaded in the guise of a legitimate one, and in turn, any dependent applications would execute it as normal.

This was proven in a recent incident, when in the event of packages accidentally disappearing from the NPM registry, nine unknown packages were uploaded in their place. Although the issue is now resolved, there was a window of time where untrusted code would have been mistakenly in use as if they were their legitimate counterparts.

To help mitigate this risk, Redpoint has introduced pkgsign:

pkgsign is a tool for adding signatures to NPM and Yarn packages, as well as verifying those packages using known signatures. It allows for signing packages with PGP private keys or keybase.io for simplicity.

Once Keybase and pkgsign are installed, authors can navigate to their package directory and issue a single command to sign the package:

pkgsign .

On doing this, a "signature.json" file will be added to the package, which is what other users can use to verify the authenticity of the author.

By using Keybase, the signature can also be connected to various social media accounts, which helps further verify the identity of the signer. PGP signing is also available, meaning that as an alternative larger companies can generate PGP keys and upload them to a public domain.

To verify dependencies of a package being worked on, again a single command can be issued:

pkgsign verify .--full

There is also a “sign on your behalf” feature in the pipeline, which allows packages to sign the content of their dependencies even if the dependency owners have not signed them themselves. This allows packages to be fully signed.

It should be noted that as the tool is still new, not many packages are still not signed with it:

pkgsign currently depends on unsigned packages (because it is new!). When you install pkgsign from either GitHub or NPM, those dependencies can't yet be verified.

If adoption grows, this is likely to change, but for now, it is recommended that the project be cloned directly from GitHub in order to make sure the correct version is in use. Otherwise, users can install it unsigned directly from the NPM registry.
 

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT