chore: retrieve npm keys via TUF

Signed-off-by: Brian DeHamer <[email protected]>

Author: bdehamer

DEPENDENCIES.md

@@ -560,6 +560,7 @@ graph LR;
   npm-->text-table;
   npm-->tiny-relative-date;
   npm-->treeverse;
+  npm-->tufjs-repo-mock["@tufjs/repo-mock"];
   npm-->validate-npm-package-name;
   npm-->which;
   npm-->write-file-atomic;

lib/commands/audit.js

@@ -3,7 +3,9 @@ const fetch = require('npm-registry-fetch')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
 const npa = require('npm-package-arg')
 const pacote = require('pacote')
+const path = require('path')
 const pMap = require('p-map')
+const { sigstore } = require('sigstore')
 
 const ArboristWorkspaceCmd = require('../arborist-cmd.js')
 const auditError = require('../utils/audit-error.js')
@@ -188,19 +190,42 @@ class VerifySignatures {
   }
 
   async setKeys ({ registry }) {
-    const keys = await fetch.json('/-/npm/v1/keys', {
-      ...this.npm.flatOptions,
-      registry,
-    }).then(({ keys: ks }) => ks.map((key) => ({
-      ...key,
-      pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
-    }))).catch(err => {
-      if (err.code === 'E404' || err.code === 'E400') {
-        return null
-      } else {
-        throw err
-      }
-    })
+    const { host, pathname } = new URL(registry)
+    // Strip any trailing slashes from pathname
+    const regKey = `${host}${pathname.replace(/\/$/, '')}/keys.json`
+    const tufCachePath = path.join(this.npm.cache, '_tuf')
+    let keys = await sigstore.tuf.getTarget(regKey, { tufCachePath })
+      .then((target) => JSON.parse(target))
+      .then(({ keys: ks }) => ks.map((key) => ({
+        ...key,
+        keyid: key.keyId,
+        pemkey: `-----BEGIN PUBLIC KEY-----\n${key.publicKey.rawBytes}\n-----END PUBLIC KEY-----`,
+        expires: key.publicKey.validFor.end || null,
+      }))).catch(err => {
+        if (err.code === 'TUF_FIND_TARGET_ERROR') {
+          return null
+        } else {
+          throw err
+        }
+      })
+
+    // If keys not found in Sigstore TUF repo, fallback to registry keys API
+    if (!keys) {
+      keys = await fetch.json('/-/npm/v1/keys', {
+        ...this.npm.flatOptions,
+        registry,
+      }).then(({ keys: ks }) => ks.map((key) => ({
+        ...key,
+        pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
+      }))).catch(err => {
+        if (err.code === 'E404' || err.code === 'E400') {
+          return null
+        } else {
+          throw err
+        }
+      })
+    }
+
     if (keys) {
       this.keys.set(registry, keys)
     }

package-lock.json

@@ -66,6 +66,7 @@
         "read-package-json",
         "read-package-json-fast",
         "semver",
+        "sigstore",
         "ssri",
         "tar",
         "text-table",
@@ -163,6 +164,7 @@
         "@npmcli/mock-registry": "^1.0.0",
         "@npmcli/promise-spawn": "^6.0.2",
         "@npmcli/template-oss": "4.12.1",
+        "@tufjs/repo-mock": "^1.3.0",
         "licensee": "^10.0.0",
         "nock": "^13.3.0",
         "npm-packlist": "^7.0.4",
@@ -2555,6 +2557,19 @@
         "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
       }
     },
+    "node_modules/@tufjs/repo-mock": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@tufjs/repo-mock/-/repo-mock-1.3.0.tgz",
+      "integrity": "sha512-R2bQ5t9FeZ9qAZuWHg/E/8ixllTI1/fEzJSuVdDo4a9SGfm5wNbUICT7n9Pl9AQCsAkw6evRjLQ/JUwueijTvA==",
+      "dev": true,
+      "dependencies": {
+        "@tufjs/models": "1.0.3",
+        "nock": "^13.3.1"
+      },
+      "engines": {
+        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+      }
+    },
     "node_modules/@types/debug": {
       "version": "4.1.7",
       "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.7.tgz",
@@ -8831,9 +8846,9 @@
       "dev": true
     },
     "node_modules/nock": {
-      "version": "13.3.0",
-      "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.0.tgz",
-      "integrity": "sha512-HHqYQ6mBeiMc+N038w8LkMpDCRquCHWeNmN3v6645P3NhN2+qXOBqvPqo7Rt1VyCMzKhJ733wZqw5B7cQVFNPg==",
+      "version": "13.3.1",
+      "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.1.tgz",
+      "integrity": "sha512-vHnopocZuI93p2ccivFyGuUfzjq2fxNyNurp7816mlT5V5HF4SzXu8lvLrVzBbNqzs+ODooZ6OksuSUNM7Njkw==",
       "dev": true,
       "dependencies": {
         "debug": "^4.1.0",

package.json

@@ -197,6 +197,7 @@
     "@npmcli/mock-registry": "^1.0.0",
     "@npmcli/promise-spawn": "^6.0.2",
     "@npmcli/template-oss": "4.12.1",
+    "@tufjs/repo-mock": "^1.3.0",
     "licensee": "^10.0.0",
     "nock": "^13.3.0",
     "npm-packlist": "^7.0.4",

tap-snapshots/test/lib/commands/audit.js.test.cjs

@@ -175,6 +175,20 @@ audited 1 package in xxx
 
 `
 
+exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with sub-path (trailing slash) > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with sub-path > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
 exports[`test/lib/commands/audit.js TAP audit signatures with both invalid and missing signatures > must match snapshot 1`] = `
 audited 2 packages in xxx
 
@@ -230,6 +244,13 @@ Someone might have tampered with this package since it was published on the regi
 
 `
 
+exports[`test/lib/commands/audit.js TAP audit signatures with key fallback to legacy API > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
 exports[`test/lib/commands/audit.js TAP audit signatures with keys but missing signature > must match snapshot 1`] = `
 audited 1 package in xxx