Get NPM signing keys from @sigstore/tuf

Instead of hardcoding NPM signing keys for verification we get them from
sigstore’s TUF repository. This is in line with how npm implements
signature verification.

Fixes #616, #612

Author: geigerzaehler

README.md

@@ -316,8 +316,17 @@ same major line. Should you need to upgrade to a new major, use an explicit
   [`proxy-from-env`](https://github.com/Rob--W/proxy-from-env).
 
 - `COREPACK_INTEGRITY_KEYS` can be set to an empty string or `0` to
-  instruct Corepack to skip integrity checks, or to a JSON string containing
-  custom keys.
+  instruct Corepack to skip signature verification, or to a JSON string
+  containing custom keys. The format based on the response of the
+  `GET /-/npm/v1/keys` endpoint of NPM under the `npm` key. That is,
+
+  ```bash
+  curl https://registry.npmjs.org/-/npm/v1/keys | jq -c '{npm: .keys}'
+  ```
+
+  See the [NPM documentation on
+  signatures](https://docs.npmjs.com/about-registry-signatures) for more
+  information.
 
 ## Troubleshooting
 

config.json

@@ -161,23 +161,5 @@
         }
       }
     }
-  },
-  "keys": {
-    "npm": [
-      {
-        "expires": "2025-01-29T00:00:00.000Z",
-        "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
-        "keytype": "ecdsa-sha2-nistp256",
-        "scheme": "ecdsa-sha2-nistp256",
-        "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="
-      },
-      {
-        "expires": null,
-        "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U",
-        "keytype": "ecdsa-sha2-nistp256",
-        "scheme": "ecdsa-sha2-nistp256",
-        "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY6Ya7W++7aUPzvMTrezH6Ycx3c+HOKYCcNGybJZSCJq/fd7Qa8uuAKtdIkUQtQiEKERhAmE5lMMJhP8OkDOa2g=="
-      }
-    ]
   }
 }

package.json

@@ -18,6 +18,7 @@
   "license": "MIT",
   "packageManager": "yarn@4.6.0+sha512.5383cc12567a95f1d668fbe762dfe0075c595b4bfff433be478dbbe24e05251a8e8c3eb992a986667c1d53b6c3a9c85b8398c35a960587fbd9fa3a0915406728",
   "devDependencies": {
+    "@sigstore/tuf": "^3.1.0",
     "@types/debug": "^4.1.5",
     "@types/node": "^20.4.6",
     "@types/proxy-from-env": "^1",

sources/corepackUtils.ts

@@ -289,7 +289,7 @@ export async function installVersion(installTarget: string, locator: Locator, {s
       if (signatures! == null || integrity! == null)
         ({signatures, integrity} = (await npmRegistryUtils.fetchTarballURLAndSignature(registry.package, version)));
 
-      npmRegistryUtils.verifySignature({signatures, integrity, packageName: registry.package, version});
+      await npmRegistryUtils.verifySignature({signatures, integrity, packageName: registry.package, version});
       // @ts-expect-error ignore readonly
       build[1] = Buffer.from(integrity.slice(`sha512-`.length), `base64`).toString(`hex`);
     }

sources/npmRegistryUtils.ts

@@ -1,10 +1,12 @@
-import {UsageError}               from 'clipanion';
-import {createVerify}             from 'crypto';
+import * as sigstoreTuf                           from '@sigstore/tuf';
+import {UsageError}                               from 'clipanion';
+import assert                                     from 'node:assert';
+import {createVerify, createPublicKey, KeyObject} from 'node:crypto';
 
-import defaultConfig              from '../config.json';
-
-import {shouldSkipIntegrityCheck} from './corepackUtils';
-import * as httpUtils             from './httpUtils';
+import {shouldSkipIntegrityCheck}                 from './corepackUtils';
+import * as debugUtils                            from './debugUtils';
+import * as httpUtils                             from './httpUtils';
+import {once}                                     from './utils';
 
 // load abbreviated metadata as that's all we need for these calls
 // see: https://github.com/npm/registry/blob/cfe04736f34db9274a780184d1cdb2fb3e4ead2a/docs/responses/package-metadata.md
@@ -32,30 +34,58 @@ export async function fetchAsJson(packageName: string, version?: string) {
   return httpUtils.fetchAsJson(`${npmRegistryUrl}/${packageName}${version ? `/${version}` : ``}`, {headers});
 }
 
-export function verifySignature({signatures, integrity, packageName, version}: {
+const getVerificationKeys = once(async (): Promise<Array<{ keyid: string, key: KeyObject }>> => {
+  let keys: Array<{ keyid: string, key: string }>;
+  if (process.env.COREPACK_INTEGRITY_KEYS) {
+    // We use the format of the `GET /-/npm/v1/keys` endpoint with `npm` instead
+    // of `keys` as the wrapping key.
+    const keysFromEnv = JSON.parse(process.env.COREPACK_INTEGRITY_KEYS) as { npm: Array<{ keyid: string, key: string }> };
+    keys = keysFromEnv.npm.map(k => ({keyid: k.keyid, key: k.key}));
+    debugUtils.log(`Using COREPACK_INTEGRITY_KEYS to verify signatures: ${keys.map(k => k.keyid).join(`, `)}`);
+  } else {
+    // This follows the implementation for npm.
+    // See https://github.com/npm/cli/blob/3a80a7b7d168c23b5e297cba7b47ba5b9875934d/lib/utils/verify-signatures.js#L174
+    // We only support sigstore for NPM. For other registries
+    // COREPACK_INTEGRITY_KEYS can be used.
+    const sigstoreTufClient = await sigstoreTuf.initTUF();
+    const keysRaw = await sigstoreTufClient.getTarget(`registry.npmjs.org/keys.json`);
+    // The format of the key file is undocumented, unfortunately. `rawBytes` is
+    // the PEM content, i.e. base64 encoded SPKI DER.
+    const keysFromSigstore = JSON.parse(keysRaw) as { keys: Array<{ keyId: string, publicKey: { rawBytes: string }}> };
+    keys = keysFromSigstore.keys.map(k => ({keyid: k.keyId, key: k.publicKey.rawBytes}));
+    debugUtils.log(`Using NPM keys from @sigstore/tuf to verify signatures: ${keys.map(k => k.keyid).join(`, `)}`);
+  }
+
+  return keys.map(k => ({
+    keyid: k.keyid,
+    key: createPublicKey(`-----BEGIN PUBLIC KEY-----\n${k.key}\n-----END PUBLIC KEY-----`,
+    )}));
+});
+
+export async function verifySignature({signatures, integrity, packageName, version}: {
   signatures: Array<{keyid: string, sig: string}>;
   integrity: string;
   packageName: string;
   version: string;
 }) {
-  const {npm: keys} = process.env.COREPACK_INTEGRITY_KEYS ?
-    JSON.parse(process.env.COREPACK_INTEGRITY_KEYS) as typeof defaultConfig.keys :
-    defaultConfig.keys;
-
+  const keys = await getVerificationKeys();
   const key = keys.find(({keyid}) => signatures.some(s => s.keyid === keyid));
-  const signature = signatures.find(({keyid}) => keyid === key?.keyid);
+  if (key == null)
+    throw new Error(`Cannot find key to verify signature. signature keys: ${signatures.map(s => s.keyid)}, verification keys: ${keys.map(k => k.keyid)}`);
 
-  if (key == null || signature == null) throw new Error(`Cannot find matching keyid: ${JSON.stringify({signatures, keys})}`);
+  const signature = signatures.find(({keyid}) => keyid === key.keyid);
+  assert(signature); // If `key` is defined there is a matching signature
 
   const verifier = createVerify(`SHA256`);
-  verifier.end(`${packageName}@${version}:${integrity}`);
-  const valid = verifier.verify(
-    `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
-    signature.sig,
-    `base64`,
-  );
+  const payload = `${packageName}@${version}:${integrity}`;
+  verifier.end(payload);
+  const valid = verifier.verify(key, signature.sig, `base64`);
+
   if (!valid) {
-    throw new Error(`Signature does not match`);
+    throw new Error(
+      `Signature verification failed for ${payload} with key ${key.keyid}\n` +
+      `If you are using a custom registry you can set COREPACK_INTEGRITY_KEYS.`,
+    );
   }
 }
 
@@ -65,7 +95,7 @@ export async function fetchLatestStableVersion(packageName: string) {
   const {version, dist: {integrity, signatures, shasum}} = metadata;
 
   if (!shouldSkipIntegrityCheck()) {
-    verifySignature({
+    await verifySignature({
       packageName, version,
       integrity, signatures,
     });

sources/types.ts

@@ -103,16 +103,6 @@ export interface Config {
       };
     };
   };
-
-  keys: {
-    [registry: string]: Array<{
-      expires: null;
-      keyid: string;
-      keytype: string;
-      scheme: string;
-      key: string;
-    }>;
-  };
 }
 
 /**

sources/utils.ts

@@ -0,0 +1,11 @@
+export function once<T>(fn: () => T) {
+  let cache: null | { value: T } = null;
+  return function () {
+    if (cache)
+      return cache.value;
+
+
+    cache = {value: fn()};
+    return cache.value;
+  };
+}

tests/config.test.ts

@@ -634,6 +634,40 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@sigstore/protobuf-specs@npm:^0.4.0":
+  version: 0.4.0
+  resolution: "@sigstore/protobuf-specs@npm:0.4.0"
+  checksum: 10c0/5b9e074ad132b977050cbd9431c09ea88b21af266dae91dda8d51e29c7b295e73e3be255c10d68874259326229dde1805dd1f5ff29082d2f3d32a932809816eb
+  languageName: node
+  linkType: hard
+
+"@sigstore/tuf@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "@sigstore/tuf@npm:3.1.0"
+  dependencies:
+    "@sigstore/protobuf-specs": "npm:^0.4.0"
+    tuf-js: "npm:^3.0.1"
+  checksum: 10c0/940237295bec3817ef4dbfd48de8b9a73b4e297966c05e81b6103747904def999f27499adb3de572407f2c72c6f28d2c699a6c8446be808b599c427a9903f081
+  languageName: node
+  linkType: hard
+
+"@tufjs/canonical-json@npm:2.0.0":
+  version: 2.0.0
+  resolution: "@tufjs/canonical-json@npm:2.0.0"
+  checksum: 10c0/52c5ffaef1483ed5c3feedfeba26ca9142fa386eea54464e70ff515bd01c5e04eab05d01eff8c2593291dcaf2397ca7d9c512720e11f52072b04c47a5c279415
+  languageName: node
+  linkType: hard
+
+"@tufjs/models@npm:3.0.1":
+  version: 3.0.1
+  resolution: "@tufjs/models@npm:3.0.1"
+  dependencies:
+    "@tufjs/canonical-json": "npm:2.0.0"
+    minimatch: "npm:^9.0.5"
+  checksum: 10c0/0b2022589139102edf28f7fdcd094407fc98ac25bf530ebcf538dd63152baea9b6144b713c8dfc4f6b7580adeff706ab6ecc5f9716c4b816e58a04419abb1926
+  languageName: node
+  linkType: hard
+
 "@types/debug@npm:^4.1.5":
   version: 4.1.12
   resolution: "@types/debug@npm:4.1.12"
@@ -1393,6 +1427,7 @@ __metadata:
   version: 0.0.0-use.local
   resolution: "corepack@workspace:."
   dependencies:
+    "@sigstore/tuf": "npm:^3.1.0"
     "@types/debug": "npm:^4.1.5"
     "@types/node": "npm:^20.4.6"
     "@types/proxy-from-env": "npm:^1"
@@ -1463,7 +1498,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"debug@npm:4, debug@npm:^4.1.1, debug@npm:^4.3.1, debug@npm:^4.3.2, debug@npm:^4.3.4, debug@npm:^4.4.0":
+"debug@npm:4, debug@npm:^4.1.1, debug@npm:^4.3.1, debug@npm:^4.3.2, debug@npm:^4.3.4, debug@npm:^4.3.6, debug@npm:^4.4.0":
   version: 4.4.0
   resolution: "debug@npm:4.4.0"
   dependencies:
@@ -3058,7 +3093,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"make-fetch-happen@npm:^14.0.3":
+"make-fetch-happen@npm:^14.0.1, make-fetch-happen@npm:^14.0.3":
   version: 14.0.3
   resolution: "make-fetch-happen@npm:14.0.3"
   dependencies:
@@ -3117,7 +3152,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"minimatch@npm:^9.0.4":
+"minimatch@npm:^9.0.4, minimatch@npm:^9.0.5":
   version: 9.0.5
   resolution: "minimatch@npm:9.0.5"
   dependencies:
@@ -4394,6 +4429,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"tuf-js@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "tuf-js@npm:3.0.1"
+  dependencies:
+    "@tufjs/models": "npm:3.0.1"
+    debug: "npm:^4.3.6"
+    make-fetch-happen: "npm:^14.0.1"
+  checksum: 10c0/4214dd6bb1ec8a6cadbc5690e5a8556de0306f0e95022e54fc7c0ff9dbcc229ab379fd4b048511387f9c0023ea8f8c35acd8f7313f6cbc94a1b8af8b289f62ad
+  languageName: node
+  linkType: hard
+
 "tunnel-agent@npm:^0.6.0":
   version: 0.6.0
   resolution: "tunnel-agent@npm:0.6.0"