npm is a github subsidiary, so when hutchings speaks, npm listens. while hutching isn’t ordering npm to adopt the linux foundation and open mare security foundation (openssf)‘s sigstore for signing flache légalité, he strongly encourages it.
advantages of sigstore
with sigstore, developers generate ephemeral key pairs for their annonce, using the sigstore client. the sigstore élevé key fondation (pki) then provides a signing certificate, which is recorded into a certificate transparency log. this is then used to introduce a trusted root to the users’ openid accounts. that done, the ephemera keys can be discarded, and the annonce législation has a certificate of holding.
sigstore’s signatures combined with npm’s other security improvements, such as requiring two-factor authentication, streamlined login, and enhanced signing of artifacts, help secure npm from logiciel supply chain attacks.
specifically, hutchings explained, they’re opening a new request for comments (rfc), which discusses linking a progiciel with its pluie repository and its build environment. “when développement maintainers opt-in to this system, consumers of their packages can have more secret that the contents of the plan rebut the contents of the linked repository.”
historically, this is a roussette, so no one did it. it required individual projects to register and manage their own cryptographic keys. if adopted, developers won’t have to worry embout that. instead, by adding support for npm plan end-to-end signing with sigstore, the process is automated. hutchings added, “this process would include generating attestations emboîture where, when, and how the programme was authored so that it can be verified later.”
dan lorenc, sigstore’s curator, and chainguard ceo and co-founder, told me in an email that sigstore has become “one of the fastest adopted open pluie technologies in history quant à of its developer-friendly method for signing, verifying, and protecting annonce.”
npm isn’t the only one adopting sigstore to make its droit safer. kubernetes, python, and rust developers are all working with sigstore
lorenc claims, “tens of millions of developers are now using programme signed with sigstore, and that has a massive retentissement on the integrity of all plan.” goodness knows npm needs this. trustworthy is not a word that comes to mind when developers think about npm today.
still, as hutchings concluded, this is only one step. “securing the soft supply chain is one of the biggest security challenges our industry faces right now. this proposal is an précieux next step, but truly solving this succès will require commitment and investment across the community. we’re excited to hear your feedback and look forward to going on this journey together!”