Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unhelpful error handling for integrity keys #570

Open
aep-sunlife opened this issue Oct 21, 2024 · 1 comment
Open

unhelpful error handling for integrity keys #570

aep-sunlife opened this issue Oct 21, 2024 · 1 comment

Comments

@aep-sunlife
Copy link

aep-sunlife commented Oct 21, 2024
edited
Loading

When connecting corepack to a custom NPM registry such as Artifactory, then corepack presents unhelpful error messages about JSON objects missing keys.

++ yarn install
/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22457
  const key = keys.find(({ keyid }) => signatures.some((s) => s.keyid === keyid));
                                                  ^

TypeError: Cannot read properties of undefined (reading 'some')
    at /opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22457:51
    at Array.find (<anonymous>)
    at verifySignature (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22457:20)
    at fetchLatestStableVersion (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22478:5)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async fetchLatestStableVersion2 (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22598:14)
    at async Engine.getDefaultVersion (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:23208:23)
    at async Engine.executePackageManagerRequest (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:23300:47)
    at async Object.runMain (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:24007:5)

This error is far too low level to communicate to the user what the real problem is: corepack is presently configured to expect packages to be signed by integrity keys, but the signatures are either missing or do not match the configured integrity keys.

Additionally, squirreled away in GitHub issues is a tip about setting a COREPACK_INTEGRITY_KEYS environment variable. To a blank, empty string. Or to zero. Or to false.

It would be helpful for error messages about integrity mismatches to link to a dedicated corepack integrity key documentation page. The page should explain loudly, clearly, and early, that in practice, integrity violations may indicate a middle man attack injection malware into any packages downloaded via corepack and/or yarn.

Secondly, the documentation page should show the correct syntax for configuring actual integrity keys.

Third, the documentation page should pick just one value, e.g. blank string ("") to indicate when the user chooses to exlicitly disregard integrity checks. This option should come with a warning that disabling integrity checks invites malware.
@aduh95
Copy link
Contributor

aduh95 commented Oct 21, 2024

Would you like to send a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aduh95 @aep-sunlife