pkgsign 0.1.3 now available

We’re now releasing pkgsign 0.1.3, which consists of bug fixes for all platforms.

We’re currently in the process of implementing a new signature.json format for 0.2.0 onwards, which will ensure the format remains compatible in the future. Therefore, this is likely going to be the last 0.1.x release. The new signature.json format is intended to support the additional metadata required for signing dependencies of your package and including expected identities.

Packages using the current signature.json format will be able to be validated with newer versions of pkgsign, but packages signed by 0.2.0 and above will not be able to be validated in 0.1.3 below, so you should upgrade your CLI when 0.2.0 is released. You won’t need to re-publish any signed packages when 0.2.0 is released.

Bug fixes in 0.1.3

Thanks to every who submitted issues and pull requests for this release. There was quite a delay in responding to these issues, as we didn’t have the correct Watching status on GitHub for the repository and hence we didn’t receive emails when new issues / PRs were submitted. That’s now been corrected, so we should be much more responsive in future when new issues / PRs are sent in.

Special thanks to ilesinge, who sent in the first pull request to pkgsign, fixing an issue where the .yarn-integrity file was incorrectly included during package verification.

A full list of bug fixes is below:

  • #1: Line endings included in the npm package of pkgsign were CRLF, because we package on Windows. This prevented running pkgsign under Linux and macOS, which expect LF endings. Users who installed pkgsign from the GitHub repository directly (instead of npm) were not affected.
  • #2: After running yarn check --integrity, yarn would generate a .yarn-integrity file inside node_modules. When running pkgsign verify . --full, pkgsign would treat this as a directory and try to recurse into it to see if the dependency was signed, which would fail because .yarn-integrity is a file.
  • #3: When signing packages under macOS and Linux using Keybase, ANSI colour coding characters from the output of keybase were incorrectly included in the identity information. pkgsign now uses strip-ansi to prevent control characters from being included.

Known issues in 0.1.3 and below

We’ve discovered an issue where using npm install will causes the package.json to be modified inside dependencies, invalidating their signature. npm install modifies the package.json to include metadata about the installation, including details about the registry the package came from.

yarn install does not do this, and is the recommended workaround for this issue until it’s resolved.

This is quite complex to solve, so there won’t be a fix until 0.2.0 when we’ve updated the signature.json format.

Installing or upgrading to pkgsign 0.1.3

As usual, we recommend installing pkgsign through our GitHub repository rather than NPM, as without pkgsign you can’t verify that NPM hasn’t tampered with the package.

Instructions on installing pkgsign can be found on GitHub.

Finally, thanks to everyone who have been signing their packages with pkgsign. With your help, we can make NPM packages more secure for everyone.