Run configured package manager verify signatures #6277

timotheeguerin · 2025-03-05T06:07:42Z

The initial implementation #6220 doesn't verify the signature of the downloaded package.

The concern is that corepack today include the registry keys in their codebase which means when rotated any older version is now broken(without passing the flag to ignore key validation) nodejs/corepack#616

Seems like a suggested solution is to use the npm approach to call tuf sigtool to retrieve teh keys with a fallback on downloading them from npm registry (with potentially logging a warning to the user)

npm implementation
https://github.com/npm/cli/blob/593c84921b0df963cef2ca7b13e44acc20cbd558/lib/utils/verify-signatures.js#L178-L191

markcowl · 2025-03-17T18:12:33Z

est: 5

timotheeguerin added the compiler:core Issues for @typespec/compiler label Mar 5, 2025

markcowl modified the milestones: [2025] May, Backlog Mar 17, 2025

markcowl added the feature New feature or request label Mar 17, 2025

markcowl added the triaged:core label Mar 17, 2025

timotheeguerin modified the milestones: [2025] May, [2025] June Apr 9, 2025

markcowl modified the milestones: [2025] June, Backlog May 12, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Run configured package manager verify signatures #6277

Run configured package manager verify signatures #6277

timotheeguerin commented Mar 5, 2025

markcowl commented Mar 17, 2025

Uh oh!

Run configured package manager verify signatures #6277

Run configured package manager verify signatures #6277

Comments

timotheeguerin commented Mar 5, 2025

markcowl commented Mar 17, 2025

Uh oh!