nvm icon indicating copy to clipboard operation
nvm copied to clipboard

Published 20 hours ago verified publisher icon nvm-sh

Add GnuPG (gpg) verification of checksum file

Open madarche opened this issue 9 years ago • 11 comments

This is an acknowledged partial implementation: to finalize it I'm waiting for #664 to be merged. All comments are welcome still.

It's partial because it's only done for Node.js recent archives. But it may still be useful. At least it works for me :-)

madarche avatar Apr 19 '15 19:04 madarche

This seems like it removes proper sha checking entirely for many uses, and makes gpg required to replicate that feature.

I don't want to add a dependency, especially another implicit dependency, to an external tool - POSIX only, please.

ljharb avatar Apr 19 '15 20:04 ljharb

As written it is partial because it is in wait of #664. I didn't want to do a full featured PR that would have to be rewritten again once #664 is merged (since it brings changes on the checksum side).

I know alright that nvm must always support sha-1 checking for older versions of node, and that the final implementation needs to support the sha checking without any regression in general. And GnuPG support will only be an additional feature for users who have it installed.

So no worry :-) see this PR as just a first step, hopefully I'll work on it again soon :-) In the meanwhile it is working for limited use cases and might help some people.

madarche avatar Apr 20 '15 07:04 madarche

Perhaps check for gpg or gpg2 before making any assumptions about which to use?

jbergstroem avatar Oct 08 '15 03:10 jbergstroem

@madarche Nice work! Any progress with it? Would be nice to ship this by default :wink:

ypid avatar Feb 11 '17 22:02 ypid

For reference, I implemented this feature for asdf, refer to Check signatures/checksums to ensure authenticity. You are free/encouraged to use this example code (under the terms of the MIT License) also in this project.

Checking signatures is one of the basic steps a package/version manager should do (ref). Would be nice to see further work on this PR. Keep up the good work!

ypid avatar Feb 12 '17 20:02 ypid

Hello all. I still intend to work again on this PR following all @ljharb's advices. The problem is just that I've too much work. I need to find some time.

And FYI I personally use my nvm fork everyday to be sure of the downloaded Node.js binaries. So this fork is still functional for those who can't wait to have this feature in the official nvm.

madarche avatar Feb 13 '17 11:02 madarche

@madarche using it every day, have you even once had any of the checksum verifications fail? I'd love to hear about that.

ljharb avatar Feb 13 '17 23:02 ljharb

@ljharb I've never ever had the checksum verification failed. But that way I feel safe and I can safely use Node.js + nvm on important systems. We also take good care on NPM packages checking+upgrading. NPM packages are not signed for now, but it's not a reason to not check Node.js signature if it's available. A chain is only as strong as its weakest link.

Cheers

madarche avatar Feb 14 '17 08:02 madarche

@ypid I'll read your code. Thanks. And I've noted that you've mentioned that your code is MIT-licensed and thus can safely be reused in nvm as is.

ETA for me back on this PR: 2 weeks

madarche avatar Feb 14 '17 08:02 madarche

@madarche You said the ETA for you bak on this PR was 2 weeks in February. Would love to see Node.js binary verification in NVM along with details on how to setup in the Readme.

Not too experienced with this repo (other than a user standpoint) but would be happy to try to help in anyway possible.

fishcharlie avatar Nov 06 '17 04:11 fishcharlie

@madarche any chance you're interested in completing this PR?

ljharb avatar Sep 29 '21 06:09 ljharb