File Explorer

/var/lang/lib/node_modules/npm/lib/utils
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
0 dirs
35 files
verify-signatures.js11.6 KB · 378 lines
1const npmFetch = require('npm-registry-fetch')2const localeCompare = require('@isaacs/string-locale-compare')('en')3const npa = require('npm-package-arg')4const pacote = require('pacote')5const tufClient = require('@sigstore/tuf')6const { log, output } = require('proc-log')7 8const sortAlphabetically = (a, b) => localeCompare(a.name, b.name)9 10class VerifySignatures {11  constructor (tree, filterSet, npm, opts) {12    this.tree = tree13    this.filterSet = filterSet14    this.npm = npm15    this.opts = opts16    this.keys = new Map()17    this.invalid = []18    this.missing = []19    this.checkedPackages = new Set()20    this.auditedWithKeysCount = 021    this.verifiedSignatureCount = 022    this.verifiedAttestationCount = 023    this.exitCode = 024  }25 26  async run () {27    const start = process.hrtime.bigint()28    const { default: pMap } = await import('p-map')29 30    // Find all deps in tree31    const { edges, registries } = this.getEdgesOut(this.tree.inventory.values(), this.filterSet)32    if (edges.size === 0) {33      throw new Error('found no installed dependencies to audit')34    }35 36    const tuf = await tufClient.initTUF({37      cachePath: this.opts.tufCache,38      retry: this.opts.retry,39      timeout: this.opts.timeout,40    })41    await Promise.all([...registries].map(registry => this.setKeys({ registry, tuf })))42 43    log.verbose('verifying registry signatures')44    await pMap(edges, (e) => this.getVerifiedInfo(e), { concurrency: 20, stopOnError: true })45 46    // Didn't find any dependencies that could be verified, e.g. only local47    // deps, missing version, not on a registry etc.48    if (!this.auditedWithKeysCount && !this.verifiedAttestationCount) {49      throw new Error('found no dependencies to audit that were installed from ' +50                      'a supported registry')51    }52 53    const invalid = this.invalid.sort(sortAlphabetically)54    const missing = this.missing.sort(sortAlphabetically)55 56    const hasNoInvalidOrMissing = invalid.length === 0 && missing.length === 057 58    if (!hasNoInvalidOrMissing) {59      process.exitCode = 160    }61 62    if (this.npm.config.get('json')) {63      output.buffer({ invalid, missing })64      return65    }66    const end = process.hrtime.bigint()67    const elapsed = end - start68 69    const auditedPlural = this.auditedWithKeysCount > 1 ? 's' : ''70    const timing = `audited ${this.auditedWithKeysCount} package${auditedPlural} in ` +71      `${Math.floor(Number(elapsed) / 1e9)}s`72    output.standard(timing)73    output.standard()74 75    const verifiedBold = this.npm.chalk.bold('verified')76    if (this.verifiedSignatureCount) {77      if (this.verifiedSignatureCount === 1) {78        output.standard(`${this.verifiedSignatureCount} package has a ${verifiedBold} registry signature`)79      } else {80        output.standard(`${this.verifiedSignatureCount} packages have ${verifiedBold} registry signatures`)81      }82      output.standard()83    }84 85    if (this.verifiedAttestationCount) {86      if (this.verifiedAttestationCount === 1) {87        output.standard(`${this.verifiedAttestationCount} package has a ${verifiedBold} attestation`)88      } else {89        output.standard(`${this.verifiedAttestationCount} packages have ${verifiedBold} attestations`)90      }91      output.standard()92    }93 94    if (missing.length) {95      const missingClr = this.npm.chalk.redBright('missing')96      if (missing.length === 1) {97        output.standard(`1 package has a ${missingClr} registry signature but the registry is providing signing keys:`)98      } else {99        output.standard(`${missing.length} packages have ${missingClr} registry signatures but the registry is providing signing keys:`)100      }101      output.standard()102      missing.map(m =>103        output.standard(`${this.npm.chalk.red(`${m.name}@${m.version}`)} (${m.registry})`)104      )105    }106 107    if (invalid.length) {108      if (missing.length) {109        output.standard()110      }111      const invalidClr = this.npm.chalk.redBright('invalid')112      // We can have either invalid signatures or invalid provenance113      const invalidSignatures = this.invalid.filter(i => i.code === 'EINTEGRITYSIGNATURE')114      if (invalidSignatures.length) {115        if (invalidSignatures.length === 1) {116          output.standard(`1 package has an ${invalidClr} registry signature:`)117        } else {118          output.standard(`${invalidSignatures.length} packages have ${invalidClr} registry signatures:`)119        }120        output.standard()121        invalidSignatures.map(i =>122          output.standard(`${this.npm.chalk.red(`${i.name}@${i.version}`)} (${i.registry})`)123        )124        output.standard()125      }126 127      const invalidAttestations = this.invalid.filter(i => i.code === 'EATTESTATIONVERIFY')128      if (invalidAttestations.length) {129        if (invalidAttestations.length === 1) {130          output.standard(`1 package has an ${invalidClr} attestation:`)131        } else {132          output.standard(`${invalidAttestations.length} packages have ${invalidClr} attestations:`)133        }134        output.standard()135        invalidAttestations.map(i =>136          output.standard(`${this.npm.chalk.red(`${i.name}@${i.version}`)} (${i.registry})`)137        )138        output.standard()139      }140 141      if (invalid.length === 1) {142        output.standard(`Someone might have tampered with this package since it was published on the registry!`)143      } else {144        output.standard(`Someone might have tampered with these packages since they were published on the registry!`)145      }146      output.standard()147    }148  }149 150  getEdgesOut (nodes, filterSet) {151    const edges = new Set()152    const registries = new Set()153    for (const node of nodes) {154      for (const edge of node.edgesOut.values()) {155        const filteredOut =156          edge.from157            && filterSet158            && filterSet.size > 0159            && !filterSet.has(edge.from.target)160 161        if (!filteredOut) {162          const spec = this.getEdgeSpec(edge)163          if (spec) {164            // Prefetch and cache public keys from used registries165            registries.add(this.getSpecRegistry(spec))166          }167          edges.add(edge)168        }169      }170    }171    return { edges, registries }172  }173 174  async setKeys ({ registry, tuf }) {175    const { host, pathname } = new URL(registry)176    // Strip any trailing slashes from pathname177    const regKey = `${host}${pathname.replace(/\/$/, '')}/keys.json`178    let keys = await tuf.getTarget(regKey)179      .then((target) => JSON.parse(target))180      .then(({ keys: ks }) => ks.map((key) => ({181        ...key,182        keyid: key.keyId,183        pemkey: `-----BEGIN PUBLIC KEY-----\n${key.publicKey.rawBytes}\n-----END PUBLIC KEY-----`,184        expires: key.publicKey.validFor.end || null,185      }))).catch(err => {186        if (err.code === 'TUF_FIND_TARGET_ERROR') {187          return null188        } else {189          throw err190        }191      })192 193    // If keys not found in Sigstore TUF repo, fall back to registry keys API194    if (!keys) {195      log.warn(`Fetching verification keys using TUF failed.  Fetching directly from ${registry}.`)196      keys = await npmFetch.json('/-/npm/v1/keys', {197        ...this.npm.flatOptions,198        registry,199      }).then(({ keys: ks }) => ks.map((key) => ({200        ...key,201        pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,202      }))).catch(err => {203        if (err.code === 'E404' || err.code === 'E400') {204          return null205        } else {206          throw err207        }208      })209    }210 211    if (keys) {212      this.keys.set(registry, keys)213    }214  }215 216  getEdgeType (edge) {217    return edge.optional ? 'optionalDependencies'218      : edge.peer ? 'peerDependencies'219      : edge.dev ? 'devDependencies'220      : 'dependencies'221  }222 223  getEdgeSpec (edge) {224    let name = edge.name225    try {226      name = npa(edge.spec).subSpec.name227    } catch {228      // leave it as edge.name229    }230    try {231      return npa(`${name}@${edge.spec}`)232    } catch {233      // Skip packages with invalid spec234    }235  }236 237  buildRegistryConfig (registry) {238    const keys = this.keys.get(registry) || []239    const parsedRegistry = new URL(registry)240    const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`241    return {242      [`${regKey}:_keys`]: keys,243    }244  }245 246  getSpecRegistry (spec) {247    return npmFetch.pickRegistry(spec, this.npm.flatOptions)248  }249 250  getValidPackageInfo (edge) {251    const type = this.getEdgeType(edge)252    // Skip potentially optional packages that are not on disk, as these could253    // be omitted during install254    if (edge.error === 'MISSING' && type !== 'dependencies') {255      return256    }257 258    const spec = this.getEdgeSpec(edge)259    // Skip invalid version requirements260    if (!spec) {261      return262    }263    const node = edge.to || edge264    const { version } = node.package || {}265 266    if (node.isWorkspace || // Skip local workspaces packages267        !version || // Skip packages that don't have an installed version, e.g. optional dependencies268        !spec.registry) { // Skip if not from registry, e.g. git package269      return270    }271 272    for (const omitType of this.npm.config.get('omit')) {273      if (node[omitType]) {274        return275      }276    }277 278    return {279      name: spec.name,280      version,281      type,282      location: node.location,283      registry: this.getSpecRegistry(spec),284    }285  }286 287  async verifySignatures (name, version, registry) {288    const {289      _integrity: integrity,290      _signatures,291      _attestations,292      _resolved: resolved,293    } = await pacote.manifest(`${name}@${version}`, {294      verifySignatures: true,295      verifyAttestations: true,296      ...this.buildRegistryConfig(registry),297      ...this.npm.flatOptions,298    })299    const signatures = _signatures || []300    const result = {301      integrity,302      signatures,303      attestations: _attestations,304      resolved,305    }306    return result307  }308 309  async getVerifiedInfo (edge) {310    const info = this.getValidPackageInfo(edge)311    if (!info) {312      return313    }314    const { name, version, location, registry, type } = info315    if (this.checkedPackages.has(location)) {316      // we already did or are doing this one317      return318    }319    this.checkedPackages.add(location)320 321    // We only "audit" or verify the signature, or the presence of it, on322    // packages whose registry returns signing keys323    const keys = this.keys.get(registry) || []324    if (keys.length) {325      this.auditedWithKeysCount += 1326    }327 328    try {329      const { integrity, signatures, attestations, resolved } = await this.verifySignatures(330        name, version, registry331      )332 333      // Currently we only care about missing signatures on registries that provide a public key334      // We could make this configurable in the future with a strict/paranoid mode335      if (signatures.length) {336        this.verifiedSignatureCount += 1337      } else if (keys.length) {338        this.missing.push({339          integrity,340          location,341          name,342          registry,343          resolved,344          version,345        })346      }347 348      // Track verified attestations separately to registry signatures, as all349      // packages on registries with signing keys are expected to have registry350      // signatures, but not all packages have provenance and publish attestations.351      if (attestations) {352        this.verifiedAttestationCount += 1353      }354    } catch (e) {355      if (e.code === 'EINTEGRITYSIGNATURE' || e.code === 'EATTESTATIONVERIFY') {356        this.invalid.push({357          code: e.code,358          message: e.message,359          integrity: e.integrity,360          keyid: e.keyid,361          location,362          name,363          registry,364          resolved: e.resolved,365          signature: e.signature,366          predicateType: e.predicateType,367          type,368          version,369        })370      } else {371        throw e372      }373    }374  }375}376 377module.exports = VerifySignatures378