pkgsign 0.1.3 now available
We’re now releasing pkgsign 0.1.3, which consists of bug fixes for all platforms.
We’re currently in the process of implementing a new
signature.json format for 0.2.0 onwards, which will ensure the format remains compatible in the future. Therefore, this is likely going to be the last 0.1.x release. The new
signature.json format is intended to support the additional metadata required for signing dependencies of your package and including expected identities.
Packages using the current
signature.json format will be able to be validated with newer versions of pkgsign, but packages signed by 0.2.0 and above will not be able to be validated in 0.1.3 below, so you should upgrade your CLI when 0.2.0 is released. You won’t need to re-publish any signed packages when 0.2.0 is released.
Bug fixes in 0.1.3
Thanks to every who submitted issues and pull requests for this release. There was quite a delay in responding to these issues, as we didn’t have the correct Watching status on GitHub for the repository and hence we didn’t receive emails when new issues / PRs were submitted. That’s now been corrected, so we should be much more responsive in future when new issues / PRs are sent in.
A full list of bug fixes is below:
- #1: Line endings included in the npm package of pkgsign were CRLF, because we package on Windows. This prevented running pkgsign under Linux and macOS, which expect LF endings. Users who installed pkgsign from the GitHub repository directly (instead of npm) were not affected.
- #2: After running
yarn check --integrity, yarn would generate a
.yarn-integrityfile inside node_modules. When running
pkgsign verify . --full, pkgsign would treat this as a directory and try to recurse into it to see if the dependency was signed, which would fail because
.yarn-integrityis a file.
- #3: When signing packages under macOS and Linux using Keybase, ANSI colour coding characters from the output of
keybasewere incorrectly included in the identity information. pkgsign now uses
strip-ansito prevent control characters from being included.
Known issues in 0.1.3 and below
We’ve discovered an issue where using
npm install will causes the
package.json to be modified inside dependencies, invalidating their signature.
npm install modifies the
package.json to include metadata about the installation, including details about the registry the package came from.
yarn install does not do this, and is the recommended workaround for this issue until it’s resolved.
This is quite complex to solve, so there won’t be a fix until 0.2.0 when we’ve updated the
Installing or upgrading to pkgsign 0.1.3
As usual, we recommend installing pkgsign through our GitHub repository rather than NPM, as without pkgsign you can’t verify that NPM hasn’t tampered with the package.
Instructions on installing pkgsign can be found on GitHub.
Finally, thanks to everyone who have been signing their packages with pkgsign. With your help, we can make NPM packages more secure for everyone.