Verifying the PGP registry signature of a package from the npm public registry (deprecated)
Table of contents
Note: PGP signatures will be deprecated early 2023, in favour of ECDSA registry signatures that can be verified using the npm CLI. More information will soon be provided.
To ensure the integrity of a package version you download from the npm public registry, you can manually verify the PGP signature of the package.
Note: Since fully verifying signatures on Keybase requires rechecking proofs (which requires network activity) and is therefore expensive, we recommend only verifying signatures if it is necessary -- for example, when verifying a deploy artifact, or when initially storing a package in your cache.
Prerequisites
- Install Keybase from https://keybase.io/download
- Create a Keybase account on https://keybase.io
- Follow "npmregistry" on Keybase.
- Download a local copy of the npm public registry's public PGP key.
Verifying npm signatures for the public registry
Note: The following steps use version 1.4.3 of the light-cycle
package as an example.
On the command line, fetch the signature for the package version you want and save it in a file:
npm view light-cycle@1.4.3 dist.npm-signature > sig-to-checkGet the integrity field for that version (example below includes response):
npm view light-cycle@1.4.3 dist.integrityExample response:
sha512-sFcuivsDZ99fY0TbvuRC6CDXB8r/ylafjJAMnbSF0y4EMM1/1DtQo40G2WKz1rBbyiz4SLAc3Wa6yZyC4XSGOQ==Construct the string that ties the unique package name and version to the integrity string (example below includes response):
keybase pgp verify --signed-by npmregistry -d sig-to-check -m 'light-cycle@1.4.3:sha512-sFcuivsDZ99fY0TbvuRC6CDXB8r/ylafjJAMnbSF0y4EMM1/1DtQo40G2WKz1rBbyiz4SLAc3Wa6yZyC4XSGOQ=='Example response:
▶ INFO Identifying npmregistry✔ public key fingerprint: 0963 1802 8A2B 58C8 4929 D8E1 3D4D 5B12 0276 566A✔ admin of DNS zone npmjs.org: found TXT entry keybase-site-verification=Ls8jN55i6KesjiX91Ck79bUZ17eA-iohmw2jJFM16xc✔ admin of DNS zone npmjs.com: found TXT entry keybase-site-verification=iK3pjpRBkv-CIJ4PHtWL4TTcFXMpPiwPynatKl3oWO4✔ "npmjs" on twitter: https://twitter.com/npmjs/status/981288548845240320Signature verified. Signed by npmregistry 3 years ago (2018-04-13 15:00:37 -0700 MST).PGP Fingerprint: 096318028a2b58c84929d8e13d4d5b120276566a.