Redpoint has launched pkgsign, a package signing and verification tool for NPM. It aims to improve security by helping ensure the authenticity of packages which are uploaded and downloaded from the NPM registry.
When working with NPM, one potential security issue is that the author of a package cannot be verified. This means that a malicious package could be uploaded in the guise of a legitimate one, and in turn, any dependent applications would execute it as normal.
This was proven in a recent incident, when in the event of packages accidentally disappearing from the NPM registry, nine unknown packages were uploaded in their place. Although the issue is now resolved, there was a window of time where untrusted code would have been mistakenly in use as if they were their legitimate counterparts.
To help mitigate this risk, Redpoint has introduced pkgsign:
pkgsign is a tool for adding signatures to NPM and Yarn packages, as well as verifying those packages using known signatures. It allows for signing packages with PGP private keys or keybase.io for simplicity.
Once Keybase and pkgsign are installed, authors can navigate to their package directory and issue a single command to sign the package:
pkgsign .
On doing this, a "signature.json" file will be added to the package, which is what other users can use to verify the authenticity of the author.
By using Keybase, the signature can also be connected to various social media accounts, which helps further verify the identity of the signer. PGP signing is also available, meaning that as an alternative larger companies can generate PGP keys and upload them to a public domain.
To verify dependencies of a package being worked on, again a single command can be issued:
pkgsign verify .--full
There is also a “sign on your behalf” feature in the pipeline, which allows packages to sign the content of their dependencies even if the dependency owners have not signed them themselves. This allows packages to be fully signed.
It should be noted that as the tool is still new, not many packages are still not signed with it:
pkgsign currently depends on unsigned packages (because it is new!). When you install pkgsign from either GitHub or NPM, those dependencies can't yet be verified.
If adoption grows, this is likely to change, but for now, it is recommended that the project be cloned directly from GitHub in order to make sure the correct version is in use. Otherwise, users can install it unsigned directly from the NPM registry.