Add documentation for new registry signatures (#14)

feelepxyz · web-flow · commit 486db812ccbf · 2022-07-26T12:08:41.000-04:00
diff --git a/content/packages-and-modules/securing-your-code/about-pgp-signatures-for-packages-in-the-public-registry.mdx b/content/packages-and-modules/securing-your-code/about-pgp-signatures-for-packages-in-the-public-registry.mdx
@@ -1,6 +1,11 @@
 ---
-title: About package PGP signatures
+title: About PGP registry signatures (deprecated)
 ---
+<Note>
+
+**Note:** PGP signatures will be deprecated early 2023, in favour of ECDSA registry signatures that can be verified using the npm CLI. [Learn more.](/about-registry-signatures)
+
+</Note>
 
 To increase confidence in the npm public registry, we add our [PGP][pgp-wiki] signature to package metadata and publicize our public PGP key on [Keybase][keybase]. Our Keybase account is "[npmregistry][npmregistry]" and our public PGP key can be found at https://keybase.io/npmregistry/pgp_keys.asc
 
@@ -21,7 +26,7 @@ Keybase offers two advantages over the core OpenPGP experience that move us to r
 - The Keybase application and CLI provide an excellent user experience for PGP, which can be intimidating for newcomers.
 - Keybase manages and displays social proofs that the entity that controls a specific PGP key also controls accounts on social media and other places. These proofs help you determine whether you can trust an account.
 
-We’ve established proofs on Keybase that we control [@npmjs][npmjs-twitter] on Twitter, the domain [npmjs.com][npmjs-com], and the domain [npmjs.org][npmjs-org]. Verifying these proofs won’t tell you who owns those domains, but it does establish that the same entity controls them and the PGP key advertised on Keybase.
+We’ve established proofs on Keybase that we control [@npmjs][npmjs-twitter] on Twitter, the domain [npmjs.com][npmjs-com], and the domain [npmjs.org][npmjs-org]. Verifying these proofs won’t tell you who owns those domains, but it does establish that the same entity controls them, and the PGP key advertised on Keybase.
 
 If you install Keybase and create an account, you can follow npmregistry yourself and obtain a local copy of the registry’s public key. For more information, and to verify the PGP signature of a specific package version from the npm public registry, see "[Verifying the PGP signature for a package from the npm public registry][verify-pgp]".
 
diff --git a/content/packages-and-modules/securing-your-code/about-registry-signatures.mdx b/content/packages-and-modules/securing-your-code/about-registry-signatures.mdx
@@ -0,0 +1,68 @@
+---
+title: About ECDSA registry signatures
+---
+
+Packages published to the public npm registry are signed to make it possible to detect if the package content has been tampered with.
+
+Signing and verifying published packages protects against an attacker controlling a registry mirror or proxy where they attempt to intercept and tamper with the package tarball content.
+
+## Migrating from PGP to ECDSA signatures
+
+<Note>
+
+**Note:** PGP signatures will be deprecated early 2023, in favour of ECDSA registry signatures. More information will soon be provided.
+
+</Note>
+
+The public npm registry is migrating away from the existing PGP signatures to ECDSA signatures that are more compact and can be verified without extra dependencies in the npm CLI.
+
+Signature verification was previously a multi-step process involving the Keybase CLI, as well as manually retrieving and parsing the signature from the package metadata.
+
+Read more about <a href="/verifying-registry-signatures">migrating and verifying signatures</a> using the npm CLI.
+
+## Supporting signatures on third-party registries
+
+The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:
+
+**1. Signatures are provided in the package's `packument` in each published version within the `dist` object:**
+
+  ```
+  "dist":{
+    ..omitted..,
+    "signatures": [{
+      "keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
+      "sig": "a312b9c3cb4a1b693e8ebac5ee1ca9cc01f2661c14391917dcb111517f72370809..."
+    }],
+  ```
+
+See this <a href="https://registry.npmjs.org/light-cycle/1.4.3" target="_blank">example of a signed package from the public npm registry</a>.
+
+To generate the signature, sign the package name, version and tarball sha integrity: `${package.name}@${package.version}:${package.dist.integrity}`.
+
+The current best practice is to use a <a href="https://en.wikipedia.org/wiki/Key_management#Key_management_system" target="_blank">Key Management System</a> that does the signing operation on a <a href="https://en.wikipedia.org/wiki/Hardware_security_module" target="_blank">Hardware Security Module (HSM)</a> in order to not directly handle the private key part, which reduces the attack surface.
+
+The `keyid` must match one of the public signing keys below.
+
+**2. Public signing keys are provided at `registry-host.tld/-/npm/v1/keys` in the following format:**
+
+  ```
+  {
+    "keys": [{
+      "expires": null,
+      "keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
+      "keytype": "ecdsa-sha2-nistp256",
+      "scheme": "ecdsa-sha2-nistp256",
+      "key": "{{B64_PUBLIC_KEY}}"
+    }]
+  }
+  ```
+
+Keys response:
+
+- `expires`: null or a simplified extended <a href="https://en.wikipedia.org/wiki/ISO_8601" target="_blank">ISO 8601 format</a>: `YYYY-MM-DDTHH:mm:ss.sssZ`
+- `keydid`: sha256 fingerprint of the public key
+- `keytype`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
+- `scheme`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
+- `key`: base64 encoded public key
+
+See this <a href="https://registry.npmjs.org/-/npm/v1/keys" target="_blank">example key's response from the public npm registry</a>.
diff --git a/content/packages-and-modules/securing-your-code/verifying-registry-signatures.mdx b/content/packages-and-modules/securing-your-code/verifying-registry-signatures.mdx
@@ -0,0 +1,46 @@
+---
+title: Verifying ECDSA registry signatures
+---
+
+To ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, you can verify the registry signatures of downloaded packages using the npm CLI.
+
+## Prerequisites
+
+1. Install npm CLI version v8.15.0 or later
+2. Install dependencies using `npm install` or `npm ci`
+
+## Verifying registry signatures
+
+Registry signatures can be verified using the following `audit` command:
+
+   ```
+   npm audit signatures
+   ```
+
+Example response if all installed versions have valid registry signatures:
+
+  ```
+  audited 1640 packages in 2s
+
+  1640 have verified registry signatures
+  ```
+
+## Troubleshooting
+
+### Some packages are missing registry signatures
+
+The CLI will error if packages don't have signatures *and* if the package registry supports signatures. This could mean an attacker might be trying to circumvent signature verification.
+You can check if the registry supports signatures by requesting the public signing keys from `registry-host.tld/-/npm/v1/keys`.
+
+Example response if some versions have missing registry signatures:
+
+   ```
+   audited 1640 packages in 2s
+
+   1405 packages have verified registry signatures
+
+   235 packages have missing registry signatures but the registry is providing signing keys:
+
+   missing-dep@1.0.0 (https://registry.npmjs.org/)
+   ...
+   ```
diff --git a/content/packages-and-modules/securing-your-code/verifying-the-pgp-signature-for-a-package-from-the-npm-public-registry.mdx b/content/packages-and-modules/securing-your-code/verifying-the-pgp-signature-for-a-package-from-the-npm-public-registry.mdx
@@ -1,12 +1,18 @@
 ---
-title: Verifying the PGP signature of a package from the npm public registry
+title: Verifying the PGP registry signature of a package from the npm public registry (deprecated)
 ---
 
+<Note>
+
+**Note:** PGP signatures will be deprecated early 2023, in favour of ECDSA registry signatures that can be verified using the npm CLI. More information will soon be provided.
+
+</Note>
+
 To ensure the integrity of a package version you download from the npm public registry, you can manually verify the [PGP signature][about-pgp-sig] of the package.
 
 <Note>
 
-**Note:** Since fully verifying signatures on Keybase requires rechecking proofs (which requires network activity) and is therefore expensive, we recommend only verifying signatures if it is absolutely necessary -- for example, when verifying a deploy artifact, or when initially storing a package in your cache.
+**Note:** Since fully verifying signatures on Keybase requires rechecking proofs (which requires network activity) and is therefore expensive, we recommend only verifying signatures if it is necessary -- for example, when verifying a deploy artifact, or when initially storing a package in your cache.
 
 </Note>
 
diff --git a/src/gatsby-theme-doctornpm/nav.yml b/src/gatsby-theme-doctornpm/nav.yml
@@ -152,9 +152,13 @@
           url: /about-audit-reports
         - title: Auditing package dependencies for security vulnerabilities
           url: /auditing-package-dependencies-for-security-vulnerabilities
-        - title: About package PGP signatures
+        - title: About ECDSA registry signatures
+          url: /about-registry-signatures
+        - title: Verifying ECDSA registry signatures
+          url: /verifying-registry-signatures
+        - title: About PGP registry signatures (deprecated)
           url: /about-pgp-signatures-for-packages-in-the-public-registry
-        - title: Verifying the PGP signature of a package from the npm public registry
+        - title: Verifying PGP registry signatures (deprecated)
           url: /verifying-the-pgp-signature-for-a-package-from-the-npm-public-registry
         - title: Requiring 2FA for package publishing and settings modification
           url: /requiring-2fa-for-package-publishing-and-settings-modification
diff --git a/src/nav-base.yml b/src/nav-base.yml
@@ -150,9 +150,13 @@
       url: /about-audit-reports
     - title: Auditing package dependencies for security vulnerabilities
       url: /auditing-package-dependencies-for-security-vulnerabilities
-    - title: About package PGP signatures
+    - title: About ECDSA registry signatures
+      url: /about-registry-signatures
+    - title: Verifying ECDSA registry signatures
+      url: /verifying-registry-signatures
+    - title: About PGP registry signatures (deprecated)
       url: /about-pgp-signatures-for-packages-in-the-public-registry
-    - title: Verifying the PGP signature of a package from the npm public registry
+    - title: Verifying PGP registry signatures (deprecated)
       url: /verifying-the-pgp-signature-for-a-package-from-the-npm-public-registry
     - title: Requiring 2FA for package publishing and settings modification
       url: /requiring-2fa-for-package-publishing-and-settings-modification
