npm package provenance - GA #657
Comments
github-product-roadmap
added
all
ankneis
moved this from Q2 2023 – Apr-Jun
to Q3 2023 – Jul-Sep
in GitHub Public Roadmap
|
🚢 This has shipped: https://github.blog/changelog/2023-09-26-npm-provenance-general-availability/ |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Summary
Today it's hard to know where a npm package came from - what's the source code and how was the package built? Maintainers can optionally specify this information, but it's easy for malicious folks to spoof.
Provenance creates verifiable links back to the source code and build instructions for public npm packages. This gives users of these packages a way to verify the package does what it says. This is a new security capability for package managers, in collaboration with the Sigstore open source project, and it is debuting on npm.
Intended Outcome
To increase confidence of supply chain security in the npm ecosystem.
How will it work?
Provenance starts when you build your npm package in a cloud CI/CD provider, like GitHub Actions.
While the build is running, we request an OIDC token from GitHub Actions, which is a signed JWT that includes information about the organization, repository, commit, branch, workflow... all the metadata associated with the build. That signed JWT is sent to Sigstore's public servers, where they verify it came from GitHub, issue a signing certificate to the build with the build metadata stored in X.509 extension OIDs, and record the information on a public ledger.
When the build publishes to npm, it uses a special flag (
npm publish --provenance) that includes the Sigstore signing certificate along with the built package. The npm registry records this information and displays it to users via the website and API.The text was updated successfully, but these errors were encountered: