@dk/hipp 0.1.29 → 0.1.31

package/README.md

@@ -93,6 +93,17 @@ with their original keys.
 **Multiple publishers**: Each developer can use their own private key. Delete
 `hipp.pub`, run HIPP, and a new keypair will be generated for that revision.
 
+### Why This Works
+
+The public key in `hipp.pub` is committed to git at the specific revision of
+each release. Verification always uses the key from that historical revision,
+not a current one. This means:
+
+- You don't need to retain your private key — once published, past releases are
+  verifiable from the git history alone
+- A compromised private key can only sign future releases, not forge past ones
+- Multiple publishers work naturally because each release is self-contained
+
 ### Options
 
 * `-y, --yes`: Skip the confirmation prompt (ideal for CI/CD pipelines).
@@ -135,6 +146,7 @@ The manifest contains:
   "email": "jane@example.com",
   "npm": "10.2.4",
   "node": "v20.11.0",
+  "git": "2.34.1",
   "hipp": "0.1.22"
 }
 ```
@@ -241,20 +253,21 @@ PERFORMANCE OF THIS SOFTWARE.
 Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):
 
 ```bash
-npx @dk/hipp verify @dk/hipp@0.1.29
+npx @dk/hipp verify @dk/hipp@0.1.31
 ```
 
 ```json
 {
   "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.29",
-  "revision": "33bc07a3b6621daa7220a3febde75ef5d3416518",
-  "hash": "af235d18cbc26f9bff5dac57a101b9722687dc7d8360c590aa81c96e23178654",
-  "signature": "Q5UmtBUV1DbII/oNmFcnWXzyLXndcVCGxpy4kKsnSHs+YZYyt69qg71fhHR+uy9ggzBCi3sc3nwtbEHEX+TXBg==",
+  "tag": "v0.1.31",
+  "revision": "270b281d7bf0e908b7c267fb87f9f68e3dc2be86",
+  "hash": "1085bdf7d5774cae5d64236a18e95c95c8d2d198ae22e9f8cfa2c10afd0fe57b",
+  "signature": "mPj1cIun7czw0TQmsWkq/HEq7O+ZdTUQrMhTRZ8Cm4Z23dYu/G/m/itzyC2x/kBRVW+8h+m399acusrSArCzBA==",
   "name": "Dmytri Kleiner",
   "email": "dev@dmytri.to",
   "npm": "11.12.1",
   "node": "v25.8.2",
-  "hipp": "0.1.29"
+  "git": "git version 2.47.3",
+  "hipp": "0.1.31"
 }
 ```

package/hipp.js

@@ -483,12 +483,20 @@ async function runVerify(packageSpec) {
       fail(`❌ Manifest not found or invalid in README`);
     }
 
-    const { origin: originUrl, tag, revision, signature, name, email, npm: npmVer, node: nodeVer, hipp: hippVer } = manifest;
+    const { origin: originUrl, tag, revision, signature, name, email, npm: npmVer, node: nodeVer, hipp: hippVer, git: gitVer } = manifest;
 
     log.info(`🌿 Cloning git origin at tag ${tag}...`);
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-git-`));
     const stageDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-stage-`));
 
+    const results = {
+      revision: false,
+      pub: false,
+      signature: false,
+      manifestHash: false,
+      rebuild: false,
+    };
+
     try {
       let cloneResult;
       try {
@@ -505,81 +513,112 @@ async function runVerify(packageSpec) {
 
       const clonedRevision = git(['rev-parse', 'HEAD'], { cwd: tmpDir });
       if (clonedRevision !== revision) {
-        fail(`❌ Revision mismatch: manifest claims ${revision.slice(0, 12)} but tag points to ${clonedRevision.slice(0, 12)}`);
+        log.error(`❌ Revision mismatch: manifest ${revision.slice(0, 12)} != cloned ${clonedRevision.slice(0, 12)}`);
+      } else {
+        log.success(`🏷️  Revision verified: ${revision.slice(0, 12)}...`);
+        results.revision = true;
       }
-      log.success(`🏷️  Revision verified: ${revision.slice(0, 12)}...`);
 
       const publicKeyPath = path.join(tmpDir, 'hipp.pub');
       if (!fs.existsSync(publicKeyPath)) {
-        fail(`❌ hipp.pub not found in git at tag ${tag}`);
-      }
+        log.error(`❌ hipp.pub not found in git at tag ${tag}`);
+      } else {
+        const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
 
-      const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
+        log.info(`🔑 Public key: hipp.pub from git@rev ${revision.slice(0, 12)} at tag ${tag}`);
 
-      log.info(`🏗️  Staging git files...`);
-      const trackedFiles = getTrackedFilesFromDir(tmpDir);
-      copyTrackedFilesFromDir(stageDir, tmpDir, trackedFiles);
+        log.info(`🏗️  Staging git files...`);
+        const trackedFiles = getTrackedFilesFromDir(tmpDir);
+        copyTrackedFilesFromDir(stageDir, tmpDir, trackedFiles);
 
-      log.info(`📦 Packing clean git files...`);
-      const { tarballHash: cleanHash } = packAndHash(stageDir);
-      log.success(`📦 Clean hash: ${cleanHash.slice(0, 12)}...`);
+        log.info(`📦 Packing clean git files...`);
+        const { tarballHash: cleanHash } = packAndHash(stageDir);
+        log.success(`📦 Clean hash: ${cleanHash.slice(0, 12)}...`);
 
-      log.info(`🔍 Check 2: Verifying manifest hash...`);
-      if (cleanHash !== manifest.hash) {
-        fail(`❌ Manifest hash mismatch: clean git tarball does not match manifest`);
-      }
-      log.success(`🔒 Manifest hash verified`);
+        log.info(`🔍 Check 2: Verifying manifest hash...`);
+        if (cleanHash !== manifest.hash) {
+          log.error(`❌ Manifest hash mismatch: clean ${cleanHash.slice(0, 12)} != manifest ${manifest.hash.slice(0, 12)}`);
+        } else {
+          log.success(`🔒 Manifest hash verified`);
+          results.manifestHash = true;
+        }
 
-      log.info(`🔍 Check 1: Verifying signature...`);
-      const signData = buildSignData(manifest.hash, originUrl, tag, revision, name, email);
-      const signatureValid = verifySignature(signData, signature, publicKey);
-      if (!signatureValid) {
-        fail(`❌ Signature verification failed`);
-      }
-      log.success(`🔏 Signature verified`);
-
-      log.info(`🔍 Check 3: Rebuilding from source...`);
-      const stagedReadmePath = path.join(stageDir, 'README.md');
-      let stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
-      const tagVersion = semver.clean(tag);
-      if (!tagVersion) {
-        fail(`❌ Tag ${tag} is not valid semver`);
-      }
-      stagedReadme = stagedReadme.trimEnd() + '\n\n## Verify\n\n' +
-        'Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):\n\n' +
-        '```bash\n' +
-        `npx @dk/hipp verify ${pkgName}@${tagVersion}\n` +
-        '```\n\n' +
-        '```json\n' + JSON.stringify(manifest, null, 2) + '\n```\n';
-      fs.writeFileSync(stagedReadmePath, stagedReadme);
-
-      const stagedPkgPath = path.join(stageDir, 'package.json');
-      const stagedPkg = JSON.parse(fs.readFileSync(stagedPkgPath, 'utf8'));
-      stagedPkg.version = tagVersion;
-      fs.writeFileSync(stagedPkgPath, JSON.stringify(stagedPkg, null, 2) + '\n');
-
-      const { tarballHash: rebuildHash } = packAndHash(stageDir);
-      log.success(`📦 Rebuild hash: ${rebuildHash.slice(0, 12)}...`);
-
-      if (rebuildHash !== npmHash) {
-        log.error(`❌ Rebuild mismatch!`);
-        log.error(`   NPM tarball:  ${npmHash}`);
-        log.error(`   Git rebuild:  ${rebuildHash}`);
-        fail(`❌ Package integrity compromised`);
+        log.info(`🔍 Check 1: Verifying signature...`);
+        const signData = buildSignData(manifest.hash, originUrl, tag, revision, name, email);
+        const signatureValid = verifySignature(signData, signature, publicKey);
+        if (!signatureValid) {
+          log.error(`❌ Signature verification failed`);
+        } else {
+          log.success(`🔏 Signature verified`);
+          results.signature = true;
+          results.pub = true;
+        }
+
+        log.info(`🔍 Check 3: Rebuilding from source...`);
+        const stagedReadmePath = path.join(stageDir, 'README.md');
+        let stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
+        const tagVersion = semver.clean(tag);
+        if (!tagVersion) {
+          log.error(`❌ Tag ${tag} is not valid semver`);
+        }
+        stagedReadme = stagedReadme.trimEnd() + '\n\n## Verify\n\n' +
+          'Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):\n\n' +
+          '```bash\n' +
+          `npx @dk/hipp verify ${pkgName}@${tagVersion}\n` +
+          '```\n\n' +
+          '```json\n' + JSON.stringify(manifest, null, 2) + '\n```\n';
+        fs.writeFileSync(stagedReadmePath, stagedReadme);
+
+        const stagedPkgPath = path.join(stageDir, 'package.json');
+        const stagedPkg = JSON.parse(fs.readFileSync(stagedPkgPath, 'utf8'));
+        stagedPkg.version = tagVersion;
+        fs.writeFileSync(stagedPkgPath, JSON.stringify(stagedPkg, null, 2) + '\n');
+
+        const { tarballHash: rebuildHash } = packAndHash(stageDir);
+        log.success(`📦 Rebuild hash: ${rebuildHash.slice(0, 12)}...`);
+
+        if (rebuildHash !== npmHash) {
+          log.error(`❌ Rebuild mismatch: rebuild ${rebuildHash.slice(0, 12)} != npm ${npmHash.slice(0, 12)}`);
+        } else {
+          log.success(`🔄 Rebuild verified`);
+          results.rebuild = true;
+        }
       }
-      log.success(`🔄 Rebuild verified`);
-
-      log.success(`✅ Verified: all checks passed`);
-      log.info(`📍 Publisher: ${name} <${email}>`);
-      log.info(`📍 Origin: ${originUrl}`);
-      log.info(`📍 Tag: ${tag}`);
-      if (npmVer || nodeVer || hippVer) {
-        const parts = [];
-        const displayHipp = hippVer === '0.0.0' ? tagVersion : hippVer;
-        if (hippVer) parts.push(`hipp: ${displayHipp}`);
-        if (npmVer) parts.push(`npm: ${npmVer}`);
-        if (nodeVer) parts.push(`node: ${nodeVer}`);
-        log.info(`ℹ️  ${parts.join(' | ')}`);
+
+      const allPassed = results.revision && results.pub && results.signature && results.manifestHash && results.rebuild;
+
+      if (allPassed) {
+        log.success(`\n✅ Verified: all checks passed`);
+        log.info(`📍 Publisher: ${name} <${email}>`);
+        log.info(`📍 Origin: ${originUrl}`);
+        log.info(`📍 Tag: ${tag}`);
+        if (npmVer || nodeVer || hippVer || gitVer) {
+          const parts = [];
+          const displayHipp = hippVer === '0.0.0' ? tagVersion : hippVer;
+          if (hippVer) parts.push(`hipp: ${displayHipp}`);
+          if (npmVer) parts.push(`npm: ${npmVer}`);
+          if (nodeVer) parts.push(`node: ${nodeVer}`);
+          if (gitVer) parts.push(`git: ${gitVer}`);
+          log.info(`ℹ️  ${parts.join(' | ')}`);
+        }
+        log.info(`\nThis proves npm matches git. It does NOT prove:`);
+        log.info(`  - The code is safe or bug-free`);
+        log.info(`  - The publisher is trustworthy`);
+        log.info(`  - The name/email is accurate`);
+      } else {
+        log.error(`\n❌ Verification failed.`);
+        if (results.revision && results.pub && results.signature) {
+          log.info(`\nRevision and signature verified. This failure may be due to tool`);
+          log.info(`version differences between publishing and verification environments.`);
+          if (npmVer || nodeVer || hippVer || gitVer) {
+            log.info(`\nPublished with: ${[
+              hippVer && `hipp: ${hippVer}`,
+              npmVer && `npm: ${npmVer}`,
+              nodeVer && `node: ${nodeVer}`,
+              gitVer && `git: ${gitVer}`,
+            ].filter(Boolean).join(' | ')}`);
+          }
+        }
       }
     } finally {
       fs.rmSync(tmpDir, { recursive: true, force: true });
@@ -682,6 +721,7 @@ async function run() {
     const revision = refInfo.head;
     const npmVersion = runCmd('npm', ['--version']).stdout.trim();
     const nodeVersion = process.version;
+    const gitVersion = runCmd('git', ['--version']).stdout.trim();
     const hippPkgPath = path.join(path.dirname(process.argv[1]), 'package.json');
     const hippPkg = JSON.parse(fs.readFileSync(hippPkgPath, 'utf8'));
     const hippVersion = hippPkg.version === '0.0.0' ? version : hippPkg.version;
@@ -699,6 +739,7 @@ async function run() {
       email: email,
       npm: npmVersion,
       node: nodeVersion,
+      git: gitVersion,
       hipp: hippVersion,
     };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.29",
+  "version": "0.1.31",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {