wapm about two months ago and have been iterating from all the feedback that we’ve received. In response we quickly released version 0.2.0 with many usability improvements and some new functionality too.
Following up on that, we began development of a package signing system as part of 0.3.0 and 0.3.1, which we will dive into the details of here.
What is Package Signing?
Package signing is a way for the author of the package to allow users of their package to verify that it really came from the author and that it hasn’t been tampered with.
Package signing is a critical ingredient in a Package Manager. Here are a few reasons why:
- Prevention of tampering: without package signing, the owner of the package repository, or anyone who may have gained illegitimate access, can make undetectable, malicious changes to packages.
- Verification of identity: the maintainer can publish proofs through other trusted channels such as: their own website, Keybase, social media, or in person. This allows users to know the origin of the package.
- Verification of continuity: even if the package maintainer’s account is compromised, the signing key will remain secret, thus updates signed with the same key can be trusted and updates that are not signed with that key will not be implicitly trusted.
Our implementation uses Minisign (which uses Ed25519) for the public-private key pairs used for package signing. In the future
wapm may support various types of cryptography for verification for users with additional needs, but Minisign has many desirable properties that make it a fantastic default choice.
Our trust system is a simple TOFU (Trust On First Use) scheme where the package-consuming user is prompted to verify public keys from the package-producing user, if they haven’t seen the key before.
Currently all new keys must be validated by the package-consuming user manually. The next improvement to our TOFU system will be to add support for key revocation and chains of trust (using a trusted key to sign a new key).
In addition to our TOFU system, users may import trusted public keys manually with
wapm keys import. Through this and future APIs, we may support more sophisticated trust schemes than TOFU.
How to Sign a Package
Here’s what setting up and using it as a package maintainer looks like:
# Create keys directory inside wasmer
mkdir -p ~/.wasmer/keys/# Generate and register a key pair
wapm keys generate ~/.wasmer/keys/
# Install rsign to generate keys
wapm install -g jedisct1/rsign2# Generate the key pair
wapm run rsign --dir=. -- generate# Register the keys with wapm
wapm keys register --public rsign.pub --private .rsign/rsign.key
Once the keys are created and registered, we can publish the package as usual:
Installing a Signed Package
From the package consumer’s perspective, this is what we will see once we try to install a signed package:
# Install a signed package
$ wapm install user/package[INFO] Installing email@example.comNew public key encountered: 3F6D278A36843FFE RWT+P4Q2iidtP7bkcLP4fBTYc9YPpuTKNVIquvPPnsFXrGdecaMKpQ+t while installing firstname.lastname@example.org.
Would you like to trust this key?
[y/n] y[INFO] Importing key "3F6D278A36843FFE" for user "user"
[INFO] Signature of package email@example.com verified!
Package installed successfully to wapm_packages!
Additionally, there are key management commands to handle anything else related to package signing. See the wapm reference for more information.
Please try it out and let us know what you think! To get started just update your version of
wasmer self-update and you’ll get the latest version of
wapm too! Or, if you’re new to wasmer, visit the website for installation instructions.
We will continue to improve the key signing story by adding support for key rotation by supporting chains of trust and key revocation.
Aside from package signing, we plan to work with the community to continue to improve security.
If you’re interested in working on wapm or Wasmer, we’re available to mentor and assist as needed! Looking to get even more involved? We’re hiring!
Big thanks to Frank Denis for creating Minisign, answering all our questions, providing feedback, and being generally awesome!
Additional thanks to Frank Rehberger for the valuable suggestions and feedback!
Our work wouldn’t be possible without your help ❤️