示例 NPM 包元数据 JSON 如下所示(dist
移向顶部):
{
"name": "lodash",
"version": "4.17.21",
"description": "Lodash modular utilities.",
"dist": {
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
"shasum": "679591c564c3bffaae8454cf0b3df370c3d6911c",
"tarball": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"fileCount": 1054,
"unpackedSize": 1412415,
"npm-signature": "-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.13\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJgMS3ZCRA9TVsSAnZWagAA8+4P/jx+SJ6Ue5oAJjz0L7gw\nLDD5YvP8aoliFq4GYkwUXfVQvOwomIPfa+U5Kao/hDfuwFQ/Bq5D5nSsl2bj\nrjJgvlKXna0SId8AgDgY2fB7zSfninuJvalY4iTWMN8DFSpG0XE2QFfoKpd3\njDmuzcNtgr79QV6DgjOVkHiP1IGNDlLTc1QEKiwo/5CdGQi1q/iCj6dViQMJ\nByuuuV2Qzi3f/FI25cG797WZar1MHhhlcnB50HiVBGp54IZOyuqdqWPduZQo\nvhONtonxPGBm3/J+uAkeUSSyL3Ud+FzLvdg8WEI9gDL0yvU4k0FcsnOONEYn\nngLaKEsw2xAnPBYW3Lf73Jnpwx6FAT3k49kgzxiNYSxEo7x4wiuNtBoDMyNw\nEKj6SZ0bUNmaJgiMfDnnDjCKjI3JrO1hho8z6CkwuvxuWLlW9wSsVayggzAI\nEhfeTeISugVHh332oDY2MI/Ysu8MnVN8fGmqeYQBBFj3aWatuA2NvVjACnX/\n54G7FtCU8TxZpm9shFRSopBx8PeI3r+icx1CT8YVFypY416PLnidHyqtME1G\neuRd1nWEz18hvVUAEHmuvHo+EPP3tITmTTUPQcZGMdBcZC+4UBmPMWX466HE\nbHw4aOnUWMa0sWfsERC5xzRZAb4lgMPEoTOnZyN4usMy7x9TzGZKZvU24HUE\nmpae\r\n=NOmG\r\n-----END PGP SIGNATURE-----\r\n",
"signatures": [
{
"keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
"sig": "MEUCIF3Yithbtmy1aEBNlfNWbLswAfPIyQUuNUGARD3Ex2t4AiEA6TlN2ZKJCUpS/Sf2Z6MduF1BNSvayHIpu5wAcICcKXw="
}
]
},
"keywords": [
"modules",
"stdlib",
"util"
],
"homepage": "https://lodash.com/",
"repository": {
"type": "git",
"url": "git+https://github.com/lodash/lodash.git"
},
"icon": "https://lodash.com/icon.svg",
"license": "MIT",
"main": "lodash.js",
"author": {
"name": "John-David Dalton",
"email": "[email protected]"
},
"contributors": [
{
"name": "John-David Dalton",
"email": "[email protected]"
},
{
"name": "Mathias Bynens",
"email": "[email protected]"
}
],
"scripts": {
"test": "echo \"See https://travis-ci.org/lodash-archive/lodash-cli for testing details.\""
},
"gitHead": "c6e281b878b315c7a10d90f9c2af4cdb112d9625",
"bugs": {
"url": "https://github.com/lodash/lodash/issues"
},
"_id": "[email protected]",
"_nodeVersion": "14.15.5",
"_npmVersion": "6.14.11",
"_npmUser": {
"name": "bnjmnt4n",
"email": "[email protected]"
},
"directories": {
},
"maintainers": [
{
"name": "mathias",
"email": "[email protected]"
},
{
"name": "jdalton",
"email": "[email protected]"
},
{
"name": "bnjmnt4n",
"email": "[email protected]"
}
],
"_npmOperationalInternal": {
"host": "s3://npm-registry-packages",
"tmp": "tmp/lodash_4.17.21_1613835736675_0.01913912595366596"
},
"_hasShrinkwrap": false
}
以下是我与 3 个领域相关的问题:
dist.shasum:据说这是 tarball(CLI 命令)的
shasum <tarball>,使用 SHA-1。
dist.integrity:ChatGPT 说(我认为...)这与
shasum具有相同的目的,但“更安全”(因为有时它使用 SHA-256 或 SHA-512 编码。但是什么是
dist.shasum和
dist.integrity的真正区别或原因吗?您需要检查两者吗?
dist.signatures[*].sig:这个签名有什么作用?你如何使用它? ChatGPT 似乎说这是使用公钥进行测试的,但是谁拥有密钥的哪一面,何时使用?你什么时候/为什么会有多个?
dist.npm-signature
与上述三件事有何关系?
https://blog.npmjs.org/post/172999548390/new-pgp-machinery似乎有您正在寻找的答案,特别是
和
shasum是文件的 SHA-1 和。我们根据子资源完整性规范,用integrity字段补充了这一点,以允许我们迁移到不同的哈希算法
但是,上面的 shasums 并不能防止中间人攻击。 […] 我们为您提供了一种通过对包完整性字段以及唯一标识包版本的一些数据进行签名来检测此类篡改的方法。 […] 注册中心为发布的每个新软件包版本签署以下数据:然后
<package>@<version>:<integrity>。 [...] 分离的签名存储在npm-signature中的dist字段中。
https://docs.npmjs.com/about-registry-signatures 说
公共 npm 注册表正在从现有的 PGP 签名(已于 2023 年 4 月 25 日弃用)迁移到更紧凑的 ECDSA 签名,并且无需在
npmCLI 中进行额外依赖即可进行验证。 […] 签名在dist对象内的每个已发布版本的包中提供。