npm - @dk/hipp - Versions diffs - 0.1.14 → 0.1.16 - Mend

@dk/hipp 0.1.14 → 0.1.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -99,18 +99,58 @@ npx @dk/hipp verify @dk/your-package[@version]
 ### How Verification Works
-1. **Fetch from npm**: Downloads the package tarball and extracts the manifest
-2. **Fetch from git**: Clones the repository at the tagged commit and extracts the public key
-3. **Hash Verification**: Computes the hash of the git content and compares with the manifest
-4. **Signature Verification**: Verifies the manifest signature using the public key
+**Step 1: Get manifest from npm**
-If both checks pass, you can be certain that:
-- The package contents in npm exactly match the git tag
-- The manifest was signed by the holder of the private key
+1. Fetch the package tarball from npm registry
+2. Extract the README from the tarball
+3. Parse the JSON manifest appended to the README
+The manifest contains:
+```json
+{
+  "origin": "git@github.com:dk/your-package.git",
+  "tag": "v1.0.0",
+  "hash": "<sha256-of-tarball>",
+  "signature": "<base64-ed25519-signature>"
+}
+```
+**Step 2: Clone git and stage**
+4. Clone the repository at the tagged commit (using origin/tag from manifest)
+5. Copy all tracked files to a staging directory
+**Step 3: Verify content integrity**
+6. Run `npm pack` in the staging directory
+7. Compute the SHA256 hash of the resulting tarball
+8. Compare this hash with the `hash` field from the npm manifest
+**If the hashes match**: The npm package exactly matches the git repository at the tagged commit.
+**Step 4: Verify signature authenticity**
+9. Read `hipp.pub` from the cloned repository at the tagged commit
+10. Verify the signature using the public key
+The signature was created by signing: `hash + "\n" + origin + "\n" + tag`
+**If the signature is valid**: The package was published by the holder of the private key matching `hipp.pub`.
+### What Verification Guarantees
+| Check | Guarantees |
+|-------|-----------|
+| **Hash match** | npm package content exactly matches git at the tagged commit |
+| **Signature valid** | Published by holder of the private key matching `hipp.pub` |
+This provides two independent guarantees:
+- **Integrity**: The code in npm is exactly what was in git at the tag
+- **Authenticity**: The publisher controls the private key for `hipp.pub`
 ### Integrity Rules
-HIPP enforces strict integrity rules:
+HIPP enforces strict integrity rules when publishing:
 - `package.json` version must be `0.0.0`
 - `package-lock.json` must exist and be tracked by git
@@ -149,34 +189,11 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
 OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
-```json
-{
-  "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.10"
-}
-```
-```npx @dk/hipp @dk/hipp@0.1.10
-```
-<!-- HIPP-META -->
-```json
-{
-  "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.11"
-}
-```
-```npx @dk/hipp @dk/hipp@0.1.11
-```
-<!-- /HIPP-META -->
 ```json
 {
   "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.14",
-  "hash": "c2a32be7dbb481c7f9e9444b993616bb1e10d41cf9c0b787642873833ebcc77e",
-  "signature": "RsopqB7L4VWwi1jBmG1dG6L+Zo0ZV7m5k6jfA+KwafViXgWw6KQniJcCs8aqgujarAANd5AzyHBdlWCNoIFzBg=="
+  "tag": "v0.1.16",
+  "hash": "935d7b90b43afd348840645f7fd629054bf50716c317fc41065b2cccf7513680",
+  "signature": "QIM4TZ3kuYv7/z3RZSkVPK74XI1PFyD/XLARR2evDCEwNOt1VlXIPXwaMZFn1kH0gDQxx3PuF73Kokld+dMjBw=="
 }
 ```

package/hipp.js CHANGED Viewed

@@ -160,12 +160,24 @@ function findLastJsonBlock(readmeContent) {
   return lastValid;
 }
-function computeReadmeHash(readmeContent) {
-  const jsonBlock = findLastJsonBlock(readmeContent);
-  if (!jsonBlock) return sha256(readmeContent);
-  const jsonStr = JSON.stringify(jsonBlock, null, 2);
-  const beforeJson = readmeContent.split('```json')[0];
-  return sha256(beforeJson + '```json\n' + jsonStr + '\n```\n');
+function packAndHash(stageDir) {
+  const result = spawnSync('npm', ['pack'], {
+    cwd: stageDir,
+    encoding: 'utf8',
+    stdio: ['pipe', 'pipe', 'pipe'],
+  });
+  if (result.status !== 0) {
+    throw new Error(`npm pack failed: ${result.stderr}`);
+  }
+  const tarballName = result.stdout.trim().split('\n').pop();
+  const tarballPath = path.join(stageDir, tarballName);
+  const tarballContent = fs.readFileSync(tarballPath);
+  fs.unlinkSync(tarballPath);
+  return { tarballName, tarballHash: sha256(tarballContent) };
 }
 function safeStageName(name) {
@@ -484,14 +496,10 @@ async function runVerify(packageSpec) {
       const trackedFiles = getTrackedFilesFromDir(tmpDir);
       copyTrackedFilesFromDir(stageDir, tmpDir, trackedFiles);
-      const stagedReadmePath = path.join(stageDir, 'README.md');
-      if (!fs.existsSync(stagedReadmePath)) {
-        fail(`❌ README.md not found in git at tag ${tag}`);
-      }
+      log.info(`📦 Packing to verify content hash...`);
+      const { tarballHash } = packAndHash(stageDir);
-      const stagedHash = sha256(fs.readFileSync(stagedReadmePath, 'utf8'));
-      if (stagedHash !== npmHash) {
+      if (tarballHash !== npmHash) {
         fail(`❌ Hash mismatch: git content does not match npm manifest`);
       }
@@ -595,10 +603,9 @@ async function run() {
     const { privateKey } = loadOrGenerateKeys();
-    const stagedPkgPath = path.join(stageDir, 'package.json');
-    const stagedPkg = JSON.parse(fs.readFileSync(stagedPkgPath, 'utf8'));
-    stagedPkg.version = version;
-    fs.writeFileSync(stagedPkgPath, JSON.stringify(stagedPkg, null, 2) + '\n');
+    log.info(`📦 Packing to compute content hash...`);
+    const { tarballHash } = packAndHash(stageDir);
+    log.success(`🔒 Content hash: ${tarballHash.slice(0, 12)}...`);
     const stagedReadmePath = path.join(stageDir, 'README.md');
     let stagedReadme = '';
@@ -606,23 +613,24 @@ async function run() {
       stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
     }
-    stagedReadme = stagedReadme.trimEnd() + '\n\n';
-    const readmeHash = sha256(stagedReadme);
-    const dataToSign = buildSignData(readmeHash, provenance.remoteUrl, rawTag);
+    const dataToSign = buildSignData(tarballHash, provenance.remoteUrl, rawTag);
     const signature = signContent(dataToSign, privateKey);
     const manifestJson = {
       origin: provenance.remoteUrl,
       tag: rawTag,
-      hash: readmeHash,
+      hash: tarballHash,
       signature: signature,
     };
-    stagedReadme += '```json\n' + JSON.stringify(manifestJson, null, 2) + '\n```\n';
+    stagedReadme = stagedReadme.trimEnd() + '\n\n```json\n' + JSON.stringify(manifestJson, null, 2) + '\n```\n';
     fs.writeFileSync(stagedReadmePath, stagedReadme);
+    const stagedPkgPath = path.join(stageDir, 'package.json');
+    const stagedPkg = JSON.parse(fs.readFileSync(stagedPkgPath, 'utf8'));
+    stagedPkg.version = version;
+    fs.writeFileSync(stagedPkgPath, JSON.stringify(stagedPkg, null, 2) + '\n');
     log.success('🔏 Manifest signed.');
     log.info('🔥 Ignition...');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.14",
+  "version": "0.1.16",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {