public: support gpg-sign and gpg-key options
#43
Conversation
|
I tried to implement the same thing last year, please check npm/npm#4016. But there's only verification part. Why server has to be modified at all? There are a lot of public keyservers already. |
|
@rlidwka because it should be able to accept packages to registry if the signature matches |
|
See the discussion on npm/npm#4016, and also node-forward/discussions#29. I definitely want to get to package authentication / a better chain of custody for establishing package provenance, but don't think that GnuPG is the way to get us there. It's pretty unwieldy to make work in a cross-platform way, and then the npm community is obligated either to build its own web of trust or depend on somebody else's. We'd like to see something simpler, probably based on ssh keys and a very lightweight PKI tied to each registry in a very straightforward, explicit way (i.e. so private registries could have their own trust relationships and nobody's dependent on npm, Inc. for their PKI). Also, this absolutely shouldn't be happening in the registry client, which should be a pure network client that doesn't know anything about how the packages are cached or built on disk. |
This is a WIP for adding signatures to the npm packages. Fully enabling it will require server changes too.
Let's discuss the approach here:
Or should users upload their public keys to their accounts manually with
npm?I did not do much, so hopefully you won't be biased to this because of me implementing part of it without approaching consensus. This is mostly a proof of concept.