npm + Sigstore: Making Javascript secure by default

Javascript is the language of the web and one of the most popular programming languages used by developers around the world. npm is the default package manager for Javascript that makes it easy for developers to install and manage packages and dependencies. However, there has always been one notable security threat with npm: there was no easy way to verify that an npm package originated from the source code the user expects. Users installing packages were always taking a leap of faith. Until today.

‍

In a major milestone, npm today announced the public beta of end-to-end signing of npm packages using Sigstore. This means that for the first time, developers can verify that the package they are using was built from the source code and build they were expecting.

‍

This is a huge step forward to significantly reduce supply chain attacks through the use of signed packages with Sigstore.

‍

At Chainguard, we believe that the best possible developer experience is one where security is built in, not bolted on. Which is why we are thrilled to celebrate this incredible milestone that enables Javascript developers worldwide to seamlessly verify javascript packages that have opted into the process.

‍

Sigstore is a key piece of technology which we contribute to and help drive forward. Sigstore’s keyless approach to artifact and code signing improves the developer experience and has been a significant factor in its adoption by Kubernetes, Python communities and several open source projects.

‍

npm integrates Sigstore natively into the client CLI via the sigstore-js library which has been actively developed by Github and the Sigstore community. This enables the primary goal of ‘demonstrate non-falsifiable provenance’ which happens by establishing a verifiable link between a public npm package and the source repository. Verification happens transparently on npm install.

Evidence of signed build provenance attestation is uploaded to the Sigstore transparency log, Rekor. The records can be explored via the <> interface which is based on the Rekor log project contributed by Chainguard.

End-to-end signing is available as an opt-in for developers. It is based around the concepts of trusted builders.

‍

Securing the software supply chain is one of the biggest challenges our industry faces right now. We encourage folks to adopt the public beta and give feedback to improve the process. By working together we can make a huge impact in making javascript and thousands of web, desktop and mobile apps more secure by default.