关于 ECDSA 注册签名

对发布到公共 npm 注册表的包进行签名,以便检测包内容是否被篡改。

对已发布的包进行签名和验证可以防止攻击者控制注册表镜像或代理,他们试图在其中拦截和篡改包 tarball 内容。

从 PGP 迁移到 ECDSA 签名

注意:PGP 签名将于 2023 年初弃用,取而代之的是 ECDSA 注册表签名。更多信息将很快提供。

公共 npm 注册表正在从现有的 PGP 签名迁移到更紧凑的 ECDSA 签名,无需在 npm CLI 中额外依赖即可进行验证。

签名验证以前是一个多步骤过程,涉及 Keybase CLI,以及从包元数据中手动检索和解析签名。

4UmNCjnAG2mlB2QMYhPvNjFvtUgqYLYxw8a4cLfvDbPn4VrLAFLrKIoZqo4g8vNQClq5n4bBSRSq9Xs9kK+2pIjn/oNZCkWI+L/J/KQcXwkJfI3yyuDSfBpc54r2gQjiY+zTgauZJNShILSp/i95oG20Vgns9ADZL6Py5VkPfHQ=

支持第三方注册签名

we0+A6OvwfjnGuBCzaeFnSSTN4bU8UmmAGA9vjcB8/HDbczkKG+3XNa4eejT9WYvSC1/NY7/XHenuzHx1xFi1I136/Jlb4kuZ73kjBz3njgU5PdGeiuOyLs79kouyMscac1k1mAU8m0FkLFDWD/eTw==

hJT+SDhWKQjPMNQONRbi3fenA3lQteAvlwacelSHCg4pe4Iu6qLsBeQZ8VsGQpCXcxz6HRPJMqFM1HMS3l7K+iiqpCGOniRY28vKg2UDRVdV/jndXm5j5S1H2FwTKAs8WsP/KLa9ELLrZLMwIV6biry+QtNXDwu43ohUbpJWQg4=

"dist":{
  ..omitted..,
  "signatures": [{
    "keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
    "sig": "a312b9c3cb4a1b693e8ebac5ee1ca9cc01f2661c14391917dcb111517f72370809..."
  }],

qScmDhWD+k8HO8+Pgg2QvXLypfIKPB3B5++JmMZq2v1iUJ+htaW3jEdxsEJcQn3TIEDMlDr/7EcN6LjsPRmzXu6RqWpRmBThC/QjR+TPPDuZwDxmPhVKccOFKZ9Y6TH8E/Dh9WG7mdOpjRpYekt04g==

L12OSvhnmQYKPnNq6d8GIhqcTyclQIPl4XNOTxskAROcPNrNjmBI3EJ5zEiyYFeOPBN3ji8QeR4ugG6foIzC5WtzoJm4yi3E8lQ5B2vykIFXtPOFBKtF61ztSyjJI6xBHHzIpehOWO7fInRktfI9Cnsr2B7Dagez4VawZy3pJKb257OAJum1AqBTZ+eW+a9YAJpcYIIShMUZRJ3KIZCalQ==

z/9ASL39k6KOKB72uZoVbDxW3iy9/ClsTN3idg0h8Ii+2KYrUlDnaBhD1ZlWvbQ2bSnCQCaD29hXS3EQgWSA6PICE3HH8AOWUaeLCEhxTP/QZTvA8y/zbd2NItUmmxHrGJ2LmYx1N8o5W/0tQsndq9rXixrLNwAHElgBOyQ3zAEVkwEhQQqO+zGd4oAijxYh8GE7tk8IH/JWOfNtBSvtu5lRnREn4Us+xXMhMHyPWuMYNp5Lyt4s5dKYWHo+dTnSTU4WBsH8blSaJTl3aCSmq4D515n8bYzdHLTX73UwZAy8GpZW8CeNfvoEoMaljHVJEBSRZ6eV0fkhhsP4b6uFYpuD7jPUifd+cwR8Mb5EbYc=

n/p466IZlffg4Jjc++o+oGKh+fxaKiSNk4Buu6AzwaOD603t4L2huIvTlsUeheoAcT+U/IuQ/WTyK23X7PuMT9DEKwdJgcd4wH1HH6ycSPo=

3aMxaZp1o73GWK0jvcEqKwvUJn9dllbDdNzPFZFzPraimdIlfSbTMLW3fknBocIU5dkcgt24reS0xrIJZFOHGRxLpcaUT/udNHfQSTwdGtKrFXsogv3NlEd8j+gISwTE9No+jks54nvifkiZcWyWaA==

{
  "keys": [{
    "expires": null,
    "keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
    "keytype": "ecdsa-sha2-nistp256",
    "scheme": "ecdsa-sha2-nistp256",
    "key": "{{B64_PUBLIC_KEY}}"
  }]
}

rhucZpWT3mu1MILyD/bEBw==

    UfiV4tx2sEnkeLfytkY+TyrNEWEcuq4DRjxxBsUExCJPEsyHRhMEp6Qx6rkhL60P9X67U8SvRqAeqSJJSk2Yoj82MgiGGnPKxSqfFhI/ZsP0SOrIuqEjtTgh3LNv7TR3GDI4GyKPmFVIiZVIyeozfCsezFHG2NNYjauJs6hzQdXBnqH3pGnteJqfUFLp7QuZAEaNA0SOwoIZJmH+RLam402oAb40wokEM7F+FqgvU9r3IPl+fLjozTzb3E+JkdIqf7EmWpqtMfHcF4SA64fv3tw4j7Jimghyw01xhIEr7Z3d0Mc2zPACqhFf+XAyjqY6uBFaaqEZY84weex8GRCzKU02OleQoq7WfqlUdiTPvwMP82iPwQ5jMkpjpMeog350dUy143VP4kkKmRYf1pht+nupuCsdHVwejtTV08vFGzADBC+15cQ5i9dzwWNdwEz4/dX/xSHX5tkpIbIUwsQsDoDDsM64FAr1AyX1CLJimkQkA9i6899AoNxpxkqPIxXm6qKgrc1bsCSKCuF7i79Y5w8jSHEZ2V5lqQ83tVlwadJcJ1BQuTUv4xNQtpQHxnKirYA+7QdUTlqV+2g5zMe82Q==

qScmDhWD+k8HO8+Pgg2QvdIqeeTzpZtoU7QTigIBsTjkfkRVX79vfRXO7VQ2yAyuF02cyccB2OgKukX9pcBa6GvgBKpMrfExO33gPT5p6JoSAtqKEtcXOrFl8cr5qUnbJCfrH+h7c6+am+JsTlp9rUULJsS6VfS8Vd/4J7h1XpY=