Get NPM signing keys from @sigstore/tuf

Instead of hardcoding NPM signing keys for verification we get them from
sigstore’s TUF repository. This is in line with how npm implements
signature verification.

Fixes #616, #612

Author: geigerzaehler

.yarn/patches/tuf-js-npm-3.0.1-9135d15fbd.patch

@@ -0,0 +1,31 @@
+diff --git a/dist/fetcher.js b/dist/fetcher.js
+index f966ce1bb0cdc6c785ce1263f1faea15d3fe764c..3b50fa0c24fd5f6e9e29cf398a3d3bf13836fabd 100644
+--- a/dist/fetcher.js
++++ b/dist/fetcher.js
+@@ -6,7 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
+ exports.DefaultFetcher = exports.BaseFetcher = void 0;
+ const debug_1 = __importDefault(require("debug"));
+ const fs_1 = __importDefault(require("fs"));
+-const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
++const stream = require("node:stream");
+ const util_1 = __importDefault(require("util"));
+ const error_1 = require("./error");
+ const tmpfile_1 = require("./utils/tmpfile");
+@@ -61,14 +61,13 @@ class DefaultFetcher extends BaseFetcher {
+     }
+     async fetch(url) {
+         log('GET %s', url);
+-        const response = await (0, make_fetch_happen_1.default)(url, {
+-            timeout: this.timeout,
+-            retry: this.retry,
++        const response = await globalThis.fetch(url, {
++            timeout: this.timeout && AbortSignal.timeout(this.timeout)
+         });
+         if (!response.ok || !response?.body) {
+             throw new error_1.DownloadHTTPError('Failed to download', response.status);
+         }
+-        return response.body;
++        return stream.Readable.fromWeb(response.body);
+     }
+ }
+ exports.DefaultFetcher = DefaultFetcher;

README.md

@@ -316,8 +316,17 @@ same major line. Should you need to upgrade to a new major, use an explicit
   [`proxy-from-env`](https://github.com/Rob--W/proxy-from-env).
 
 - `COREPACK_INTEGRITY_KEYS` can be set to an empty string or `0` to
-  instruct Corepack to skip integrity checks, or to a JSON string containing
-  custom keys.
+  instruct Corepack to skip signature verification, or to a JSON string
+  containing custom keys. The format based on the response of the
+  `GET /-/npm/v1/keys` endpoint of npm registry under the `npm` key. That is,
+
+  ```bash
+  curl https://registry.npmjs.org/-/npm/v1/keys | jq -c '{npm: .keys}'
+  ```
+
+  See the [npm documentation on
+  signatures](https://docs.npmjs.com/about-registry-signatures) for more
+  information.
 
 ## Troubleshooting
 

package.json

@@ -18,6 +18,7 @@
   "license": "MIT",
   "packageManager": "yarn@4.6.0+sha512.5383cc12567a95f1d668fbe762dfe0075c595b4bfff433be478dbbe24e05251a8e8c3eb992a986667c1d53b6c3a9c85b8398c35a960587fbd9fa3a0915406728",
   "devDependencies": {
+    "@sigstore/tuf": "^3.1.0",
     "@types/debug": "^4.1.5",
     "@types/node": "^20.4.6",
     "@types/proxy-from-env": "^1",
@@ -43,7 +44,8 @@
     "which": "^5.0.0"
   },
   "resolutions": {
-    "undici-types": "6.x"
+    "undici-types": "6.x",
+    "tuf-js@npm:^3.0.1": "patch:tuf-js@npm%3A3.0.1#~/.yarn/patches/tuf-js-npm-3.0.1-9135d15fbd.patch"
   },
   "scripts": {
     "build": "run clean && run build:bundle && tsx ./mkshims.ts",

sources/corepackUtils.ts

@@ -289,7 +289,7 @@ export async function installVersion(installTarget: string, locator: Locator, {s
       if (signatures! == null || integrity! == null)
         ({signatures, integrity} = (await npmRegistryUtils.fetchTarballURLAndSignature(registry.package, version)));
 
-      npmRegistryUtils.verifySignature({signatures, integrity, packageName: registry.package, version});
+      await npmRegistryUtils.verifySignature({signatures, integrity, packageName: registry.package, version});
       // @ts-expect-error ignore readonly
       build[1] = Buffer.from(integrity.slice(`sha512-`.length), `base64`).toString(`hex`);
     }

sources/npmRegistryUtils.ts

@@ -1,9 +1,14 @@
+import * as sigstoreTuf           from '@sigstore/tuf';
 import {UsageError}               from 'clipanion';
-import {createVerify}             from 'crypto';
+import assert                     from 'node:assert';
+import * as crypto                from 'node:crypto';
+import * as path                  from 'node:path';
 
 import defaultConfig              from '../config.json';
 
 import {shouldSkipIntegrityCheck} from './corepackUtils';
+import * as debugUtils            from './debugUtils';
+import * as folderUtils           from './folderUtils';
 import * as httpUtils             from './httpUtils';
 
 // load abbreviated metadata as that's all we need for these calls
@@ -32,30 +37,101 @@ export async function fetchAsJson(packageName: string, version?: string) {
   return httpUtils.fetchAsJson(`${npmRegistryUrl}/${packageName}${version ? `/${version}` : ``}`, {headers});
 }
 
-export function verifySignature({signatures, integrity, packageName, version}: {
+interface KeyInfo {
+  keyid: string;
+  key: crypto.KeyObject;
+}
+
+async function fetchSigstoreTufKeys(): Promise<Array<KeyInfo> | null> {
+  // This follows the implementation for npm.
+  // See https://github.com/npm/cli/blob/3a80a7b7d168c23b5e297cba7b47ba5b9875934d/lib/utils/verify-signatures.js#L174
+  let keysRaw: string;
+  try {
+    const sigstoreTufClient = await sigstoreTuf.initTUF({cachePath: path.join(folderUtils.getCorepackHomeFolder(), `_tuf`)});
+    keysRaw = await sigstoreTufClient.getTarget(`registry.npmjs.org/keys.json`);
+  } catch (error) {
+    console.warn(`Failed to get signing keys from Sigstore TUF repo`, error);
+    return null;
+  }
+
+  // The format of the key file is undocumented but follows `PublicKey` from
+  // sigstore/protobuf-specs.
+  // See https://github.com/sigstore/protobuf-specs/blob/main/gen/pb-typescript/src/__generated__/sigstore_common.ts
+  const keysFromSigstore = JSON.parse(keysRaw) as {keys: Array<{keyId: string, publicKey: {rawBytes: string, keyDetails: string}}>};
+
+  return keysFromSigstore.keys.filter(key => {
+    if (key.publicKey.keyDetails === `PKIX_ECDSA_P256_SHA_256`) {
+      return true;
+    } else {
+      debugUtils.log(`Unsupported verification key type ${key.publicKey.keyDetails}`);
+      return false;
+    }
+  }).map(k => ({
+    keyid: k.keyId,
+    key: crypto.createPublicKey({key: Buffer.from(k.publicKey.rawBytes, `base64`), format: `der`, type: `spki`}),
+  }));
+}
+
+async function getVerificationKeys(): Promise<Array<KeyInfo>> {
+  let keys: Array<{keyid: string, key: string}>;
+
+  if (process.env.COREPACK_INTEGRITY_KEYS) {
+    // We use the format of the `GET /-/npm/v1/keys` endpoint with `npm` instead
+    // of `keys` as the wrapping key.
+    const keysFromEnv = JSON.parse(process.env.COREPACK_INTEGRITY_KEYS) as {npm: Array<{keyid: string, key: string}>};
+    keys = keysFromEnv.npm;
+    debugUtils.log(`Using COREPACK_INTEGRITY_KEYS to verify signatures: ${keys.map(k => k.keyid).join(`, `)}`);
+    return keys.map(k => ({
+      keyid: k.keyid,
+      key: crypto.createPublicKey(`-----BEGIN PUBLIC KEY-----\n${k.key}\n-----END PUBLIC KEY-----`,
+      ),
+    }));
+  }
+
+
+  const sigstoreKeys = await fetchSigstoreTufKeys();
+  if (sigstoreKeys) {
+    debugUtils.log(`Using NPM keys from @sigstore/tuf to verify signatures: ${sigstoreKeys.map(k => k.keyid).join(`, `)}`);
+    return sigstoreKeys;
+  }
+
+  debugUtils.log(`Falling back to built-in npm verification keys`);
+  return defaultConfig.keys.npm.map(k => ({
+    keyid: k.keyid,
+    key: crypto.createPublicKey(`-----BEGIN PUBLIC KEY-----\n${k.key}\n-----END PUBLIC KEY-----`,
+    ),
+  }));
+}
+
+let verificationKeysCache: Promise<Array<{ keyid: string, key: crypto.KeyObject }>> | null = null;
+
+export async function verifySignature({signatures, integrity, packageName, version}: {
   signatures: Array<{keyid: string, sig: string}>;
   integrity: string;
   packageName: string;
   version: string;
 }) {
-  const {npm: keys} = process.env.COREPACK_INTEGRITY_KEYS ?
-    JSON.parse(process.env.COREPACK_INTEGRITY_KEYS) as typeof defaultConfig.keys :
-    defaultConfig.keys;
+  if (!verificationKeysCache)
+    verificationKeysCache = getVerificationKeys();
 
+  const keys = await verificationKeysCache;
   const key = keys.find(({keyid}) => signatures.some(s => s.keyid === keyid));
-  const signature = signatures.find(({keyid}) => keyid === key?.keyid);
+  if (key == null)
+    throw new Error(`Cannot find key to verify signature. signature keys: ${signatures.map(s => s.keyid)}, verification keys: ${keys.map(k => k.keyid)}`);
+
+  const signature = signatures.find(({keyid}) => keyid === key.keyid);
+  assert(signature);
 
-  if (key == null || signature == null) throw new Error(`Cannot find matching keyid: ${JSON.stringify({signatures, keys})}`);
+  const verifier = crypto.createVerify(`SHA256`);
+  const payload = `${packageName}@${version}:${integrity}`;
+  verifier.end(payload);
+  const valid = verifier.verify(key, signature.sig, `base64`);
 
-  const verifier = createVerify(`SHA256`);
-  verifier.end(`${packageName}@${version}:${integrity}`);
-  const valid = verifier.verify(
-    `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
-    signature.sig,
-    `base64`,
-  );
   if (!valid) {
-    throw new Error(`Signature does not match`);
+    throw new Error(
+      `Signature verification failed for ${payload} with key ${key.keyid}\n` +
+      `If you are using a custom registry you can set COREPACK_INTEGRITY_KEYS.`,
+    );
   }
 }
 
@@ -65,7 +141,7 @@ export async function fetchLatestStableVersion(packageName: string) {
   const {version, dist: {integrity, signatures, shasum}} = metadata;
 
   if (!shouldSkipIntegrityCheck()) {
-    verifySignature({
+    await verifySignature({
       packageName, version,
       integrity, signatures,
     });

tests/_registryServer.mjs

@@ -7,6 +7,14 @@ import {gzipSync}                                    from 'node:zlib';
 let privateKey, keyid;
 
 switch (process.env.TEST_INTEGRITY) {
+  case `invalid_npm_signature`: {
+    ({privateKey} = generateKeyPairSync(`ec`, {
+      namedCurve: `sect239k1`,
+    }));
+    // Known npm signing key
+    keyid = `SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U`;
+    break;
+  }
   case `invalid_signature`: {
     ({privateKey} = generateKeyPairSync(`ec`, {
       namedCurve: `sect239k1`,
@@ -199,41 +207,49 @@ server.listen(0, `localhost`);
 await once(server, `listening`);
 
 const {address, port} = server.address();
+const serverAddress = `${address.includes(`:`) ? `[${address}]` : address}:${port}`;
+
 switch (process.env.AUTH_TYPE) {
   case `PROXY`:
     // The proxy set up above will redirect all requests to our custom registry,
     process.env.COREPACK_NPM_REGISTRY = `http://user:pass@example.com`;
     break;
 
   case `COREPACK_NPM_REGISTRY`:
-    process.env.COREPACK_NPM_REGISTRY = `http://user:pass@${address.includes(`:`) ? `[${address}]` : address}:${port}`;
+    process.env.COREPACK_NPM_REGISTRY = `http://user:pass@${serverAddress}`;
     break;
 
   case `COREPACK_NPM_TOKEN`:
-    process.env.COREPACK_NPM_REGISTRY = `http://${address.includes(`:`) ? `[${address}]` : address}:${port}`;
+    process.env.COREPACK_NPM_REGISTRY = `http://${serverAddress}`;
     process.env.COREPACK_NPM_TOKEN = TOKEN_MOCK;
     break;
 
   case `COREPACK_NPM_PASSWORD`:
-    process.env.COREPACK_NPM_REGISTRY = `http://${address.includes(`:`) ? `[${address}]` : address}:${port}`;
+    process.env.COREPACK_NPM_REGISTRY = `http://${serverAddress}`;
     process.env.COREPACK_NPM_USERNAME = `user`;
     process.env.COREPACK_NPM_PASSWORD = `pass`;
     break;
 
   default: throw new Error(`Invalid AUTH_TYPE in env`, {cause: process.env.AUTH_TYPE});
 }
 
-if (process.env.NOCK_ENV === `replay`) {
-  const originalFetch = globalThis.fetch;
-  globalThis.fetch = function fetch(i) {
-    if (!`${i}`.startsWith(
-      process.env.AUTH_TYPE === `PROXY` ?
-        `http://example.com` :
-        `http://${address.includes(`:`) ? `[${address}]` : address}:${port}`))
-      throw new Error(`Unexpected request to  ${i}`);
+const passthroughUrls = [
+  process.env.AUTH_TYPE === `PROXY` ?
+    `http://example.com` :
+    `http://${serverAddress}`,
+];
+
+if (!process.env.BLOCK_SIGSTORE_TUF_REQUESTS)
+  passthroughUrls.push(`https://tuf-repo-cdn.sigstore.dev/`);
 
+
+const originalFetch = globalThis.fetch;
+globalThis.fetch = function fetch(url) {
+  if (passthroughUrls.some(passthroughUrl => url.toString().startsWith(passthroughUrl)))
     return Reflect.apply(originalFetch, this, arguments);
-  };
-}
+
+
+  throw new Error(`Unexpected request to  ${url}`);
+};
 
 server.unref();