npm - @dk/hipp - Versions diffs - 0.1.19 → 0.1.20 - Mend

@dk/hipp 0.1.19 → 0.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -109,32 +109,36 @@ The manifest contains:
 {
   "origin": "git@github.com:dk/your-package.git",
   "tag": "v1.0.0",
+  "revision": "<git-commit-hash>",
   "hash": "<sha256-of-tarball>",
   "signature": "<base64-ed25519-signature>",
   "name": "Jane Developer",
-  "email": "jane@example.com"
+  "email": "jane@example.com",
+  "npm": "10.2.4",
+  "node": "v20.11.0"
 }
 ```
 **Step 2: Clone git and verify**
 3. Clone the repository at the tagged commit (using origin/tag from manifest)
-4. Stage all tracked files
-5. Run `npm pack` to create a tarball
-6. Compute SHA256 hash of the clean tarball
-7. Compare with the `hash` field from the npm manifest
+4. Verify the cloned commit hash matches the `revision` field in manifest
+5. Stage all tracked files
+6. Run `npm pack` to create a tarball
+7. Compute SHA256 hash of the clean tarball
+8. Compare with the `hash` field from the npm manifest
 **Step 3: Verify signature**
-8. Read `hipp.pub` from the cloned repository
-9. Verify the signature was created by signing:
-   `hash + "\n" + origin + "\n" + tag + "\n" + name + "\n" + email`
+9. Read `hipp.pub` from the cloned repository
+10. Verify the signature was created by signing:
+    `hash + "\n" + origin + "\n" + tag + "\n" + revision + "\n" + name + "\n" + email`
 **Step 4: Rebuild verification**
-10. Append the manifest to the staged README
-11. Update the staged `package.json` version to match the tag
-12. Run `npm pack` again and verify the hash matches the npm tarball
+11. Append the manifest to the staged README
+12. Update the staged `package.json` version to match the tag
+13. Run `npm pack` again and verify the hash matches the npm tarball
 ### Three Verification Checks
@@ -216,16 +220,19 @@ PERFORMANCE OF THIS SOFTWARE.
 Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):
 ```bash
-npx @dk/hipp verify @dk/hipp@0.1.19
+npx @dk/hipp verify @dk/hipp@0.1.20
 ```
 ```json
 {
   "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.19",
-  "hash": "adcdd07b563c5667d405b36ee1e391710e1baf4ee9434b1fd2f5a11c2acdecf0",
-  "signature": "MdkA4AbDX4ofShqXKJxwWX+x+RWQJU16WpSkFvHU8LihgdIBJbsyNvzIfrjm+3cll2FdR5u3+/dwv+a0rHbUDw==",
+  "tag": "v0.1.20",
+  "revision": "1d5a16d3e837ffd79d4c6704cf1945f6d0b84a60",
+  "hash": "71fe169e31a68c92c249ae2a443a4062dc379b36bf854a290576e7b595ca4e58",
+  "signature": "UpVrjogkhwUyPvGj6bK4vOUj3p9R/JDvuDaupOibXFyK5FibLWzpMwjQWHJa78wYx4D4f/BmAn99J3Xt4icaDg==",
   "name": "Dmytri Kleiner",
-  "email": "dev@dmytri.to"
+  "email": "dev@dmytri.to",
+  "npm": "11.12.1",
+  "node": "v25.8.2"
 }
 ```

package/hipp.js CHANGED Viewed

@@ -121,8 +121,8 @@ function verifySignature(data, signature, publicKey) {
   }, Buffer.from(signature, 'base64'));
 }
-function buildSignData(hash, origin, tag, name, email) {
-  return `${hash}\n${origin}\n${tag}\n${name}\n${email}\n`;
+function buildSignData(hash, origin, tag, revision, name, email) {
+  return `${hash}\n${origin}\n${tag}\n${revision}\n${name}\n${email}\n`;
 }
 function findLastJsonBlock(readmeContent) {
@@ -463,11 +463,11 @@ async function runVerify(packageSpec) {
     const npmReadme = fs.readFileSync(npmReadmePath, 'utf8');
     manifest = findLastJsonBlock(npmReadme);
-    if (!manifest || !manifest.origin || !manifest.tag || !manifest.hash || !manifest.signature || !manifest.name || !manifest.email) {
+    if (!manifest || !manifest.origin || !manifest.tag || !manifest.revision || !manifest.hash || !manifest.signature || !manifest.name || !manifest.email) {
       fail(`❌ Manifest not found or invalid in README`);
     }
-    const { origin: originUrl, tag, signature, name, email } = manifest;
+    const { origin: originUrl, tag, revision, signature, name, email, npm: npmVer, node: nodeVer } = manifest;
     log.info(`🌿 Cloning git origin at tag ${tag}...`);
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-git-`));
@@ -476,6 +476,12 @@ async function runVerify(packageSpec) {
     try {
       git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
+      const clonedRevision = git(['rev-parse', 'HEAD'], { cwd: tmpDir });
+      if (clonedRevision !== revision) {
+        fail(`❌ Revision mismatch: manifest claims ${revision.slice(0, 12)} but tag points to ${clonedRevision.slice(0, 12)}`);
+      }
+      log.success(`🏷️  Revision verified: ${revision.slice(0, 12)}...`);
       const publicKeyPath = path.join(tmpDir, 'hipp.pub');
       if (!fs.existsSync(publicKeyPath)) {
         fail(`❌ hipp.pub not found in git at tag ${tag}`);
@@ -498,7 +504,7 @@ async function runVerify(packageSpec) {
       log.success(`🔒 Manifest hash verified`);
       log.info(`🔍 Check 1: Verifying signature...`);
-      const signData = buildSignData(manifest.hash, originUrl, tag, name, email);
+      const signData = buildSignData(manifest.hash, originUrl, tag, revision, name, email);
       const signatureValid = verifySignature(signData, signature, publicKey);
       if (!signatureValid) {
         fail(`❌ Signature verification failed`);
@@ -540,6 +546,9 @@ async function runVerify(packageSpec) {
       log.info(`📍 Publisher: ${name} <${email}>`);
       log.info(`📍 Origin: ${originUrl}`);
       log.info(`📍 Tag: ${tag}`);
+      if (npmVer && nodeVer) {
+        log.info(`ℹ️  npm: ${npmVer} | node: ${nodeVer}`);
+      }
     } finally {
       fs.rmSync(tmpDir, { recursive: true, force: true });
       fs.rmSync(stageDir, { recursive: true, force: true });
@@ -638,16 +647,22 @@ async function run() {
     }
     const { name, email } = getGitUserInfo();
-    const dataToSign = buildSignData(tarballHash, provenance.remoteUrl, rawTag, name, email);
+    const revision = refInfo.head;
+    const npmVersion = runCmd('npm', ['--version']).stdout.trim();
+    const nodeVersion = process.version;
+    const dataToSign = buildSignData(tarballHash, provenance.remoteUrl, rawTag, revision, name, email);
     const signature = signContent(dataToSign, privateKey);
     const manifestJson = {
       origin: provenance.remoteUrl,
       tag: rawTag,
+      revision: revision,
       hash: tarballHash,
       signature: signature,
       name: name,
       email: email,
+      npm: npmVersion,
+      node: nodeVersion,
     };
     stagedReadme = stagedReadme.trimEnd() + '\n\n## Verify\n\n' +

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.19",
+  "version": "0.1.20",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {