Table of contents
Verifying ECDSA registry signatures
Table of contents
To ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, you can verify the registry signatures of downloaded packages using the npm CLI.
Prerequisites
- Install npm CLI version v8.15.0 or later
- Install dependencies using
npm installornpm ci
Verifying registry signatures
Registry signatures can be verified using the following audit command:
npm audit signatures
Example response if all installed versions have valid registry signatures:
audited 1640 packages in 2s1640 have verified registry signatures
问题排查
Some packages are missing registry signatures
The CLI will error if packages don't have signatures and if the package registry supports signatures. This could mean an attacker might be trying to circumvent signature verification. You can check if the registry supports signatures by requesting the public signing keys from registry-host.tld/-/npm/v1/keys.
Example response if some versions have missing registry signatures:
audited 1640 packages in 2s1405 packages have verified registry signatures235 packages have missing registry signatures but the registry is providing signing keys:missing-dep@1.0.0 (https://registry.npmjs.org/)...
声明:npm 及相关 logo 的版权归 npmjs.com 所有。本站点仅用于 npm 中文文档,与 npmjs.com 没有任何关系。由于译者水平有限,且避免产生误解,条款和政策内容不进行翻译,关于这部分,请移步官网查看最新内容。