gar/provenance pr

DEPENDENCIES.md

@@ -398,6 +398,7 @@ graph LR;
   libnpmpack-->pacote;
   libnpmpack-->spawk;
   libnpmpack-->tap;
+  libnpmpublish-->ci-info;
   libnpmpublish-->lodash.clonedeep;
   libnpmpublish-->nock;
   libnpmpublish-->normalize-package-data;
@@ -407,6 +408,7 @@ graph LR;
   libnpmpublish-->npmcli-mock-registry["@npmcli/mock-registry"];
   libnpmpublish-->npmcli-template-oss["@npmcli/template-oss"];
   libnpmpublish-->semver;
+  libnpmpublish-->sigstore;
   libnpmpublish-->ssri;
   libnpmpublish-->tap;
   libnpmsearch-->nock;
@@ -734,6 +736,8 @@ graph LR;
   readable-stream-->util-deprecate;
   rimraf-->glob;
   semver-->lru-cache;
+  sigstore-->make-fetch-happen;
+  sigstore-->tuf-js;
   socks-->ip;
   socks-->smart-buffer;
   socks-proxy-agent-->agent-base;
@@ -756,6 +760,8 @@ graph LR;
   tar-->minizlib;
   tar-->mkdirp;
   tar-->yallist;
+  tuf-js-->make-fetch-happen;
+  tuf-js-->minimatch;
   unique-filename-->unique-slug;
   unique-slug-->imurmurhash;
   validate-npm-package-license-->spdx-correct;

lib/commands/audit.js

@@ -25,7 +25,6 @@ class VerifySignatures {
     this.checkedPackages = new Set()
     this.auditedWithKeysCount = 0
     this.verifiedCount = 0
-    this.output = []
     this.exitCode = 0
   }
 
@@ -60,13 +59,13 @@ class VerifySignatures {
     const hasNoInvalidOrMissing = invalid.length === 0 && missing.length === 0
 
     if (!hasNoInvalidOrMissing) {
-      this.exitCode = 1
+      process.exitCode = 1
     }
 
     if (this.npm.config.get('json')) {
-      this.appendOutput(JSON.stringify({
-        invalid: this.makeJSON(invalid),
-        missing: this.makeJSON(missing),
+      this.npm.output(JSON.stringify({
+        invalid,
+        missing,
       }, null, 2))
       return
     }
@@ -76,54 +75,65 @@ class VerifySignatures {
     const auditedPlural = this.auditedWithKeysCount > 1 ? 's' : ''
     const timing = `audited ${this.auditedWithKeysCount} package${auditedPlural} in ` +
       `${Math.floor(Number(elapsed) / 1e9)}s`
-    this.appendOutput(`${timing}\n`)
+    this.npm.output(timing)
+    this.npm.output('')
 
     if (this.verifiedCount) {
       const verifiedBold = this.npm.chalk.bold('verified')
-      const msg = this.verifiedCount === 1 ?
-        `${this.verifiedCount} package has a ${verifiedBold} registry signature\n` :
-        `${this.verifiedCount} packages have ${verifiedBold} registry signatures\n`
-      this.appendOutput(msg)
+      if (this.verifiedCount === 1) {
+        this.npm.output(`${this.verifiedCount} package has a ${verifiedBold} registry signature`)
+      } else {
+        this.npm.output(`${this.verifiedCount} packages have ${verifiedBold} registry signatures`)
+      }
+      this.npm.output('')
     }
 
     if (missing.length) {
       const missingClr = this.npm.chalk.bold(this.npm.chalk.red('missing'))
-      const msg = missing.length === 1 ?
-        `package has a ${missingClr} registry signature` :
-        `packages have ${missingClr} registry signatures`
-      this.appendOutput(
-        `${missing.length} ${msg} but the registry is ` +
-        `providing signing keys:\n`
+      if (missing.length === 1) {
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`1 package has a ${missingClr} registry signature but the registry is providing signing keys:`)
+      } else {
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`${missing.length} packages have ${missingClr} registry signatures but the registry is providing signing keys:`)
+      }
+      this.npm.output('')
+      missing.map(m =>
+        this.npm.output(`${this.npm.chalk.red(`${m.name}@${m.version}`)} (${m.registry})`)
       )
-      this.appendOutput(this.humanOutput(missing))
     }
 
     if (invalid.length) {
+      if (missing.length) {
+        this.npm.output('')
+      }
       const invalidClr = this.npm.chalk.bold(this.npm.chalk.red('invalid'))
-      const msg = invalid.length === 1 ?
-        `${invalid.length} package has an ${invalidClr} registry signature:\n` :
-        `${invalid.length} packages have ${invalidClr} registry signatures:\n`
-      this.appendOutput(
-        `${missing.length ? '\n' : ''}${msg}`
+      // We can have either invalid signatures or invalid provenance
+      const invalidSignatures = this.invalid.filter(i => i.code === 'EINTEGRITYSIGNATURE')
+      if (invalidSignatures.length === 1) {
+        this.npm.output(`1 package has an ${invalidClr} registry signature:`)
+      // } else if (invalidSignatures.length > 1) {
+      } else {
+        // TODO move this back to an else if once provenance attestation audit is added
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`${invalidSignatures.length} packages have ${invalidClr} registry signatures:`)
+      }
+      this.npm.output('')
+      invalidSignatures.map(i =>
+        this.npm.output(`${this.npm.chalk.red(`${i.name}@${i.version}`)} (${i.registry})`)
       )
-      this.appendOutput(this.humanOutput(invalid))
-      const tamperMsg = invalid.length === 1 ?
-        `\nSomeone might have tampered with this package since it was ` +
-        `published on the registry!\n` :
-        `\nSomeone might have tampered with these packages since they where ` +
-        `published on the registry!\n`
-      this.appendOutput(tamperMsg)
+      this.npm.output('')
+      if (invalid.length === 1) {
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`Someone might have tampered with this package since it was published on the registry!`)
+      } else {
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`Someone might have tampered with these packages since they were published on the registry!`)
+      }
+      this.npm.output('')
     }
   }
 
-  appendOutput (...args) {
-    this.output.push(...args.flat())
-  }
-
-  report () {
-    return { report: this.output.join('\n'), exitCode: this.exitCode }
-  }
-
   getEdgesOut (nodes, filterSet) {
     const edges = new Set()
     const registries = new Set()
@@ -249,11 +259,12 @@ class VerifySignatures {
       ...this.npm.flatOptions,
     })
     const signatures = _signatures || []
-    return {
+    const result = {
       integrity,
       signatures,
       resolved,
     }
+    return result
   }
 
   async getVerifiedInfo (edge) {
@@ -286,51 +297,33 @@ class VerifySignatures {
         this.verifiedCount += 1
       } else if (keys.length) {
         this.missing.push({
-          name,
-          version,
-          location,
-          resolved,
           integrity,
+          location,
+          name,
           registry,
+          resolved,
+          version,
         })
       }
     } catch (e) {
       if (e.code === 'EINTEGRITYSIGNATURE') {
-        const { signature, keyid, integrity, resolved } = e
         this.invalid.push({
+          code: e.code,
+          integrity: e.integrity,
+          keyid: e.keyid,
+          location,
           name,
+          registry,
+          resolved: e.resolved,
+          signature: e.signature,
           type,
           version,
-          resolved,
-          location,
-          integrity,
-          registry,
-          signature,
-          keyid,
         })
       } else {
         throw e
       }
     }
   }
-
-  humanOutput (list) {
-    return list.map(v =>
-      `${this.npm.chalk.red(`${v.name}@${v.version}`)} (${v.registry})`
-    ).join('\n')
-  }
-
-  makeJSON (deps) {
-    return deps.map(d => ({
-      name: d.name,
-      version: d.version,
-      location: d.location,
-      resolved: d.resolved,
-      integrity: d.integrity,
-      signature: d.signature,
-      keyid: d.keyid,
-    }))
-  }
 }
 
 class Audit extends ArboristWorkspaceCmd {
@@ -432,9 +425,6 @@ class Audit extends ArboristWorkspaceCmd {
 
     const verify = new VerifySignatures(tree, filterSet, this.npm, { ...opts })
     await verify.run()
-    const result = verify.report()
-    process.exitCode = process.exitCode || result.exitCode
-    this.npm.output(result.report)
   }
 }
 

lib/commands/publish.js

@@ -35,6 +35,7 @@ class Publish extends BaseCommand {
     'workspace',
     'workspaces',
     'include-workspace-root',
+    'provenance',
   ]
 
   static usage = ['<package-spec>']

lib/utils/config/definitions.js

@@ -1620,6 +1620,15 @@ define('progress', {
   },
 })
 
+define('provenance', {
+  default: false,
+  type: Boolean,
+  description: `
+    Indicates that a provenance statement should be generated.
+  `,
+  flatten,
+})
+
 define('proxy', {
   default: null,
   type: [null, false, url], // allow proxy to be disabled explicitly

node_modules/.gitignore

@@ -241,6 +241,7 @@
 !/semver/node_modules/lru-cache
 !/set-blocking
 !/signal-exit
+!/sigstore
 !/smart-buffer
 !/socks-proxy-agent
 !/socks
@@ -263,6 +264,7 @@
 !/text-table
 !/tiny-relative-date
 !/treeverse
+!/tuf-js
 !/unique-filename
 !/unique-slug
 !/util-deprecate