1

I am specifically looking at the npm package metadata like from the lodash package, the relevant part which is this:

{
  "shasum": "392617f69a947e40cec7848d85fcc3dd29d74bc5",
  "tarball": "https://registry.npmjs.org/lodash/-/lodash-0.1.0.tgz",
  "integrity": "sha512-ufIfwX7g5obXKaJhzbnAJBNf5Idxqty+AHaNadWFxtNKjGmF/ZO8ptSEjQRQRymBPZtLa0NV9sbrsH87Ae2R1A==",
  "signatures": [
    {
      "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
      "sig": "MEQCIBB7pdqPfBFUsZQhVr3woDJ7/bbRWV3tlXQZNp3ivosbAiBMhwfq9fqaJvFFX1/scqPbIywUUZCQkfJaISqaJbZX2Q=="
    }
  ]
}

What exactly are these 4 things used for, and how are they computed roughly speaking?

  • shasum
  • integrity
  • keyid
  • sig

The second one, the integrity, I figured out is the sha-512 of the tar.gz:

shasum -a 512 lodash-0.1.0.tgz | cut -f1 -d\  | xxd -r -p | base64
ufIfwX7g5obXKaJhzbnAJBNf5Idxqty+AHaNadWFxtNKjGmF/ZO8ptSEjQRQRymBPZtLa0NV9sbrsH87Ae2R1A==

That would be computed I guess at the moment after it is uploaded to the package registry. Then it would be used when you download the package tar.gz, to check that the integrity value matches.

But what about the other 3 values?

  • How are they calculated (and what from exactly)?
  • When are they used in the verification process?

If there is anything more/better which a package manager should do, I'd be curious to know, but I assume npm already has this figured out and so just want to know what they did basically.

Improve this question
1

1 Answer 1

Reset to default
2

The shasum entry is the SHA-1 hash of the file. It has become obsolete with the introduction of integrity.

For integrity, the format of Subresource Integrity is used. As you already found out, this is a hash of the file, using a more modern hash algorithm than SHA-1. Note that integrity alone is not a security feature. All it does is let you detect accidental file corruption. It cannot prevent attacks, because an attacker could replace both the file and the hash of the file.

The signatures are either ECDSA or PGP signatures of the following input, calculated by the registry when a package is published:

<package name>@<package version>:<integrity hash>

The keyid is the SHA-256 hash of the corresponding registry key located under the URL domain-of-registry/-/npm/v1/keys.

To verify the signature, you can use the command npm audit signatures, as explained in the manual. The signature allows you to check whether the package has been purposely or accidentally modified after it was published to the registry.

Note that the signature is not a code signature from the package authors. It's calculated by the registry and therefore does not prevent the registry itself from manipulating the package.

As to your question what could be improved: Ideally, npm should support actual code signing, where the authors provide the signature. However, this would require changes of the npm infrastructure, there would be some open questions about who verifies the identity of the authors, and the authors would have to do extra work.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.