Sign and verify npm packages using GPG
WARNING: WORK IN PROGRESS
npm-gpg is supposed to help you sign your and verify others' npm packages. I'm not sure I've got the right approach, but YOLO. Feel free to call me out on any problems I've introduced, the issues interface is just over there to the right!
IF YOU SEE SOMETHING, SAY SOMETHING
.
.. ............;;.
..::::::::::::;;;;.
. . ::::::::::::;;:'
:'
npm-gpg currently works with the concept of a manifest in the root of an npm
package. That manifest is a list of all the files that would be included in the
package if it were packed by npm pack
(which is how a package is processed
before it ends up on the npm registry), along with their sha-1 checksums. This
manifiest is then signed with gpg --clearsign -a
.
npm-gpg-sign
generates this manifest, and npm-gpg-verify
, well, verifies it.
Heck. Just read the code. It's only like 60 lines all together.
$ cd /path/to/package && npm-gpg-sign
$ cd /path/to/package && npm-gpg-verify
3-clause BSD. A copy is included with the source.
- GitHub (deoxxa)
- Twitter (@deoxxa)
- Email (deoxxa@fknsrs.biz)