This repository has been archived by the owner on Sep 29, 2021. It is now read-only.
NPM artifact signing for release #4
Comments
|
After a long investigation I figured out that the NodeJS community is still trying to figure out how to implement npm package signing - node-forward/discussions#29 During my investigation I stumbled on https://s8f.org/salty.html , made by one of the guys involved in the discussion above; it looks like something definitely worth trying. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
To avoid tampering with NPM artifacts published (and maintained) by the Foundation, it is strongly recommended (if not mandatory, from a Foundation Security standpoint) to sign artifacts in order to prove their authenticity and avoid man-in-the-middle attacks.
The Java (Maven) release already includes such feature, which is widely endorsed by Maven Central (check https://symphonyoss.atlassian.net/wiki/display/FM/Software+Development+Onboarding#SoftwareDevelopmentOnboarding-MavenReleaseFeatures), but for NPM it's up to the project to enforce it, as it's not mandatory.
Looking for an NPM package that helps with the signing/deployment of GPG-signed artifacts.
The text was updated successfully, but these errors were encountered: