chore: retrieve npm keys via TUF

Signed-off-by: Brian DeHamer <bdehamer@github.com>

Author: bdehamer

DEPENDENCIES.md

@@ -560,6 +560,7 @@ graph LR;
  npm-->text-table;
  npm-->tiny-relative-date;
  npm-->treeverse;
+ npm-->tufjs-repo-mock["@tufjs/repo-mock"];
  npm-->validate-npm-package-name;
  npm-->which;
  npm-->write-file-atomic;

lib/commands/audit.js

@@ -3,7 +3,9 @@ const fetch = require('npm-registry-fetch')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
 const npa = require('npm-package-arg')
 const pacote = require('pacote')
+const path = require('path')
 const pMap = require('p-map')
+const { sigstore } = require('sigstore')
 
 const ArboristWorkspaceCmd = require('../arborist-cmd.js')
 const auditError = require('../utils/audit-error.js')
@@ -188,19 +190,41 @@ class VerifySignatures {
  }
 
  async setKeys ({ registry }) {
- const keys = await fetch.json('/-/npm/v1/keys', {
- ...this.npm.flatOptions,
- registry,
- }).then(({ keys: ks }) => ks.map((key) => ({
- ...key,
- pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
- }))).catch(err => {
- if (err.code === 'E404' || err.code === 'E400') {
- return null
- } else {
- throw err
- }
- })
+ const { host, pathname } = new URL(registry)
+ const regKey = `${host}${pathname === '/' ? '' : pathname}/keys.json`
+ const tufCachePath = path.join(this.npm.cache, '_tuf')
+ let keys = await sigstore.tuf.getTarget(regKey, { tufCachePath })
+ .then((target) => JSON.parse(target))
+ .then(({ keys: ks }) => ks.map((key) => ({
+ ...key,
+ keyid: key.keyId,
+ pemkey: `-----BEGIN PUBLIC KEY-----\n${key.publicKey.rawBytes}\n-----END PUBLIC KEY-----`,
+ expires: key.publicKey.validFor.end || null,
+ }))).catch(err => {
+ if (err.code === 'TUF_FIND_TARGET_ERROR') {
+ return null
+ } else {
+ throw err
+ }
+ })
+
+ // If keys not found in Sigstore TUF repo, fallback to registry keys API
+ if (!keys) {
+ keys = await fetch.json('/-/npm/v1/keys', {
+ ...this.npm.flatOptions,
+ registry,
+ }).then(({ keys: ks }) => ks.map((key) => ({
+ ...key,
+ pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
+ }))).catch(err => {
+ if (err.code === 'E404' || err.code === 'E400') {
+ return null
+ } else {
+ throw err
+ }
+ })
+ }
+
  if (keys) {
  this.keys.set(registry, keys)
  }

package-lock.json

@@ -66,6 +66,7 @@
  "read-package-json",
  "read-package-json-fast",
  "semver",
+ "sigstore",
  "ssri",
  "tar",
  "text-table",
@@ -163,6 +164,7 @@
  "@npmcli/mock-registry": "^1.0.0",
  "@npmcli/promise-spawn": "^6.0.2",
  "@npmcli/template-oss": "4.12.1",
+ "@tufjs/repo-mock": "^1.3.0",
  "licensee": "^10.0.0",
  "nock": "^13.3.0",
  "npm-packlist": "^7.0.4",
@@ -2555,6 +2557,19 @@
  "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
  }
  },
+ "node_modules/@tufjs/repo-mock": {
+ "version": "1.3.0",
+ "resolved": "https://registry.npmjs.org/@tufjs/repo-mock/-/repo-mock-1.3.0.tgz",
+ "integrity": "sha512-R2bQ5t9FeZ9qAZuWHg/E/8ixllTI1/fEzJSuVdDo4a9SGfm5wNbUICT7n9Pl9AQCsAkw6evRjLQ/JUwueijTvA==",
+ "dev": true,
+ "dependencies": {
+ "@tufjs/models": "1.0.3",
+ "nock": "^13.3.1"
+ },
+ "engines": {
+ "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+ }
+ },
  "node_modules/@types/debug": {
  "version": "4.1.7",
  "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.7.tgz",
@@ -8831,9 +8846,9 @@
  "dev": true
  },
  "node_modules/nock": {
- "version": "13.3.0",
- "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.0.tgz",
- "integrity": "sha512-HHqYQ6mBeiMc+N038w8LkMpDCRquCHWeNmN3v6645P3NhN2+qXOBqvPqo7Rt1VyCMzKhJ733wZqw5B7cQVFNPg==",
+ "version": "13.3.1",
+ "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.1.tgz",
+ "integrity": "sha512-vHnopocZuI93p2ccivFyGuUfzjq2fxNyNurp7816mlT5V5HF4SzXu8lvLrVzBbNqzs+ODooZ6OksuSUNM7Njkw==",
  "dev": true,
  "dependencies": {
  "debug": "^4.1.0",

package.json

@@ -197,6 +197,7 @@
  "@npmcli/mock-registry": "^1.0.0",
  "@npmcli/promise-spawn": "^6.0.2",
  "@npmcli/template-oss": "4.12.1",
+ "@tufjs/repo-mock": "^1.3.0",
  "licensee": "^10.0.0",
  "nock": "^13.3.0",
  "npm-packlist": "^7.0.4",

tap-snapshots/test/lib/commands/audit.js.test.cjs

@@ -175,6 +175,13 @@ audited 1 package in xxx
 
 `
 
+exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with sub-path > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
 exports[`test/lib/commands/audit.js TAP audit signatures with both invalid and missing signatures > must match snapshot 1`] = `
 audited 2 packages in xxx
 
@@ -230,6 +237,13 @@ Someone might have tampered with this package since it was published on the regi
 
 `
 
+exports[`test/lib/commands/audit.js TAP audit signatures with key fallback to legacy API > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
 exports[`test/lib/commands/audit.js TAP audit signatures with keys but missing signature > must match snapshot 1`] = `
 audited 1 package in xxx