Where in the npm code does it verify the packages against a checksum? Also is it possible to verify one machine’s installation of node and packages vs another machine? As in, is it possible to generate a bunch of checksums for a machine to compare with whatever’s in the registry, and on a separate machine.
In npm, it seems to be using a tree library called the arborist to create a replica of the directory structure. On the other as a user i’d like to be able to validate, generate, checksums of the packages for the sake of provenance and verification. How do i go about doing this? And is it built into the package manager?
Advertisement
Answer
Where in the npm code does it verify the packages against a checksum?
Here: https://github.com/npm/cli/blob/04eb43f2b2a387987b61a7318908cf18f03d97e0/lib/utils/tar.js#L78-L80
const integrity = await ssri.fromData(tarball, {
algorithms: ['sha1', 'sha512'],
})
As in, is it possible to generate a bunch of checksums for a machine to compare with whatever’s in the registry, and on a separate machine.
I’m not sure of the details of your use case but I believe it should be possible. Have a look at the fromData() and other functions of the ssri module that npm uses to generate the integrity SHAs.
Note that npm generates the SHAs from tarballs (or from git SHAs if you are installing from git rather than the npm registry). So you’ll need to package the modules up as tarballs. The npm pack command might come in handy.
Related (but not quite what you’re looking for I don’t think) would be the “Verifying the PGP signature of a package from the npm public registry” article in the npm docs..