Securing WAPM Packages with Package Signing

Mark McCaskey
Jun 25, 2019 · 4 min read

WAPM is a new package manager from Wasmer designed to make packaging and distributing WebAssembly simple and easy.

We released wapm about two months ago and have been iterating from all the feedback that we’ve received. In response we quickly released version 0.2.0 with many usability improvements and some new functionality too.

Following up on that, we began development of a package signing system as part of 0.3.0 and 0.3.1, which we will dive into the details of here.

What is Package Signing?

Package signing is a way for the author of the package to allow users of their package to verify that it really came from the author and that it hasn’t been tampered with.

It’s like the modern version of using sealing wax with a difficult to replicate imprint to verify the authenticity and integrity of the letter.

Package signing is a critical ingredient in a Package Manager. Here are a few reasons why:

  • Prevention of tampering: without package signing, the owner of the package repository, or anyone who may have gained illegitimate access, can make undetectable, malicious changes to packages.
  • Verification of identity: the maintainer can publish proofs through other trusted channels such as: their own website, Keybase, social media, or in person. This allows users to know the origin of the package.
  • Verification of continuity: even if the package maintainer’s account is compromised, the signing key will remain secret, thus updates signed with the same key can be trusted and updates that are not signed with that key will not be implicitly trusted.

Our implementation uses Minisign (which uses Ed25519) for the public-private key pairs used for package signing. In the future wapm may support various types of cryptography for verification for users with additional needs, but Minisign has many desirable properties that make it a fantastic default choice.

Our trust system is a simple TOFU (Trust On First Use) scheme where the package-consuming user is prompted to verify public keys from the package-producing user, if they haven’t seen the key before.

High level control flow of TOFU

Currently all new keys must be validated by the package-consuming user manually. The next improvement to our TOFU system will be to add support for key revocation and chains of trust (using a trusted key to sign a new key).

In addition to our TOFU system, users may import trusted public keys manually with wapm keys import. Through this and future APIs, we may support more sophisticated trust schemes than TOFU.

How to Sign a Package

Here’s what setting up and using it as a package maintainer looks like:

# Create keys directory inside wasmer
mkdir -p ~/.wasmer/keys/
# Generate and register a key pair
wapm keys generate ~/.wasmer/keys/

Which can be done manually by generating a key with the wapm package rsign2 (or any Minisign implementation) and registering it with wapm.

# Install rsign to generate keys
wapm install -g jedisct1/rsign2
# Generate the key pair
wapm run rsign --dir=. -- generate
# Register the keys with wapm
wapm keys register --public rsign.pub --private .rsign/rsign.key

Once the keys are created and registered, we can publish the package as usual:

wapm publish
Signed Packages will show a green check icon next to the package name

Installing a Signed Package

From the package consumer’s perspective, this is what we will see once we try to install a signed package:

# Install a signed package
$ wapm install user/package
[INFO] Installing user/package@0.0.4New public key encountered: 3F6D278A36843FFE RWT+P4Q2iidtP7bkcLP4fBTYc9YPpuTKNVIquvPPnsFXrGdecaMKpQ+t while installing package@0.0.4.
Would you like to trust this key?
[y/n] y
[INFO] Importing key "3F6D278A36843FFE" for user "user"
[INFO] Signature of package package@0.0.4 verified!
Package installed successfully to wapm_packages!

Additionally, there are key management commands to handle anything else related to package signing. See the wapm reference for more information.


Going forward

Please try it out and let us know what you think! To get started just update your version of wasmer with wasmer self-update and you’ll get the latest version of wapm too! Or, if you’re new to wasmer, visit the website for installation instructions.

We will continue to improve the key signing story by adding support for key rotation by supporting chains of trust and key revocation.
Aside from package signing, we plan to work with the community to continue to improve security.

If you’re interested in working on wapm or Wasmer, we’re available to mentor and assist as needed! Looking to get even more involved? We’re hiring!

Big thanks to Frank Denis for creating Minisign, answering all our questions, providing feedback, and being generally awesome!
Additional thanks to Frank Rehberger for the valuable suggestions and feedback!
Our work wouldn’t be possible without your help ❤️

Wasmer

Universal WebAssembly runtime

Thanks to Ivan Enderlin

Mark McCaskey

Written by

Software Engineer at Wasmer. https://twitter.com/mark_mccaskey

Wasmer

Wasmer

Universal WebAssembly runtime

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade