W3cubDocs

/npm

Verifying the PGP registry signature of a package from the npm public registry (deprecated)

Skip to content
npm Docs
npmjs.comStatusSupport
About npm
Getting started
Packages and modules
Introduction to packages and modules
Contributing packages to the registry
Updating and managing your published packages
Getting packages from the registry
Securing your code
About audit reportsAuditing package dependencies for security vulnerabilitiesAbout ECDSA registry signaturesVerifying ECDSA registry signaturesAbout PGP registry signatures (deprecated)Verifying PGP registry signatures (deprecated)Requiring 2FA for package publishing and settings modificationReporting malware in an npm package
Integrations
Organizations
Policies
Threats and Mitigations
npm CLI
Table of contents

Note: PGP signatures will be deprecated early 2023, in favour of ECDSA registry signatures that can be verified using the npm CLI. More information will soon be provided.

To ensure the integrity of a package version you download from the npm public registry, you can manually verify the PGP signature of the package.

Note: Since fully verifying signatures on Keybase requires rechecking proofs (which requires network activity) and is therefore expensive, we recommend only verifying signatures if it is necessary -- for example, when verifying a deploy artifact, or when initially storing a package in your cache.

Prerequisites

  1. Install Keybase from https://keybase.io/download
  2. Create a Keybase account on https://keybase.io
  3. Follow "npmregistry" on Keybase.
  4. Download a local copy of the npm public registry's public PGP key.

Verifying npm signatures for the public registry

Note: The following steps use version 1.4.3 of the light-cycle package as an example.

  1. On the command line, fetch the signature for the package version you want and save it in a file:

    npm view [email protected] dist.npm-signature > sig-to-check

  2. Get the integrity field for that version (example below includes response):

    npm view [email protected] dist.integrity

    Example response:

    sha512-sFcuivsDZ99fY0TbvuRC6CDXB8r/ylafjJAMnbSF0y4EMM1/1DtQo40G2WKz1rBbyiz4SLAc3Wa6yZyC4XSGOQ==

  3. Construct the string that ties the unique package name and version to the integrity string (example below includes response):

    keybase pgp verify --signed-by npmregistry -d sig-to-check -m '[email protected]:sha512-sFcuivsDZ99fY0TbvuRC6CDXB8r/ylafjJAMnbSF0y4EMM1/1DtQo40G2WKz1rBbyiz4SLAc3Wa6yZyC4XSGOQ=='

    Example response:

    ▶ INFO Identifying npmregistry
✔ public key fingerprint: 0963 1802 8A2B 58C8 4929 D8E1 3D4D 5B12 0276 566A
✔ admin of DNS zone npmjs.org: found TXT entry keybase-site-verification=Ls8jN55i6KesjiX91Ck79bUZ17eA-iohmw2jJFM16xc
✔ admin of DNS zone npmjs.com: found TXT entry keybase-site-verification=iK3pjpRBkv-CIJ4PHtWL4TTcFXMpPiwPynatKl3oWO4
✔ "npmjs" on twitter: https://twitter.com/npmjs/status/981288548845240320
Signature verified. Signed by npmregistry 3 years ago (2018-04-13 15:00:37 -0700 MST).
PGP Fingerprint: 096318028a2b58c84929d8e13d4d5b120276566a.
Edit this page on GitHub

© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.
https://docs.npmjs.com/verifying-the-pgp-signature-for-a-package-from-the-npm-public-registry